CVE-2024-30105
Denial of Service vulnerability in System.Text.Json (NuGet)
What is CVE-2024-30105 About?
This Denial of Service vulnerability in .NET 8.0 affects `JsonSerializer.DeserializeAsyncEnumerable` when processing untrusted input. It can lead to a system crash or unresponsiveness by triggering excessive resource consumption. Exploitation is remote and unauthenticated, making it relatively easy to perform.
Affected Software
Technical Details
The vulnerability is triggered within the JsonSerializer.DeserializeAsyncEnumerable method in .NET 8.0 when it processes untrusted input. By providing specially crafted JSON data, an attacker can cause the deserialization process to enter a state of excessive resource consumption or an infinite loop, leading to a Denial of Service condition. This happens because the method fails to handle certain input patterns efficiently when deserializing asynchronous enumerable streams, causing the application to become unresponsive or crash due to resource exhaustion.
What is the Impact of CVE-2024-30105?
Successful exploitation may allow attackers to cause the affected service to become unresponsive or crash, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2024-30105?
Exploitation is considered low to moderate complexity, as it primarily involves crafting and sending malicious input to an application that calls JsonSerializer.DeserializeAsyncEnumerable with untrusted data. No authentication is required, allowing for remote exploitation. The attacker needs to be able to send HTTP requests to the vulnerable endpoint. The vulnerability primarily affects applications built on .NET 8.0.6 or earlier, particularly those that widely accept JSON input for deserialization, increasing the attack surface.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-30105?
Available Upgrade Options
- System.Text.Json
- >7.0.0, <8.0.4 → Upgrade to 8.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30105
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30105
- https://github.com/dotnet/runtime
- https://github.com/dotnet/runtime/security/advisories/GHSA-hh2w-p6rv-4g7w
- https://osv.dev/vulnerability/GHSA-hh2w-p6rv-4g7w
- https://nvd.nist.gov/vuln/detail/CVE-2024-30105
What are Similar Vulnerabilities to CVE-2024-30105?
Similar Vulnerabilities: CVE-2025-27513 , CVE-2024-38095 , CVE-2023-28491 , CVE-2022-26134 , CVE-2021-44228
