CVE-2025-3857
Infinite Loop vulnerability in Amazon.IonDotnet (NuGet)
What is CVE-2025-3857 About?
An issue in Amazon.IonDotnet's RawBinaryReader can cause an infinite loop when processing malformed binary Ion data, leading to a denial of service. This vulnerability allows an actor to make the application unresponsive. Exploitation is relatively easy, requiring the provision of a malformed or truncated binary Ion data stream.
Affected Software
Technical Details
The RawBinaryReader class in Amazon.IonDotnet (ion-dotnet) fails to properly check the number of bytes read from the underlying stream during deserialization of binary Ion data. If the provided binary Ion data is malformed or truncated, this oversight can trigger an infinite loop condition. The reader continuously attempts to process the incomplete data without advancing or erroring out, leading to indefinite resource consumption (CPU cycles) and ultimately a denial of service for any application using this library to deserialize such data.
What is the Impact of CVE-2025-3857?
Successful exploitation may allow attackers to cause a denial of service, leading to system instability or unresponsiveness.
What is the Exploitability of CVE-2025-3857?
Exploitation involves providing malformed or truncated binary Ion data to an application utilizing the RawBinaryReader in Amazon.IonDotnet. This is a low-complexity attack, as it only requires supplying specific input data. No authentication or elevated privileges are required. It can be a remote attack if the application processes external Ion data. The primary constraint is the application's reliance on the vulnerable RawBinaryReader for binary Ion deserialization. Systems processing untrusted Ion data streams are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-3857?
About the Fix from Resolved Security
The patch adds a check in the binary reader logic to throw an UnexpectedEofException if the input stream is truncated and does not provide the expected bytes, preventing incomplete data from being interpreted as valid input. This fixes CVE-2025-3857 by ensuring that truncated or maliciously crafted Ion binary data cannot result in undefined behavior or information disclosure due to improper end-of-file handling.
Available Upgrade Options
- Amazon.IonDotnet
- <1.3.1 → Upgrade to 1.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://aws.amazon.com/security/security-bulletins/AWS-2025-009/
- https://github.com/amazon-ion/ion-dotnet/releases/tag/v1.3.1
- https://nvd.nist.gov/vuln/detail/CVE-2025-3857
- https://github.com/amazon-ion/ion-dotnet/commit/34a4f5215eceac1bb7bf434c4f2310d64d1b703b
- https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-gm2p-wf5c-w3pj
- https://github.com/amazon-ion/ion-dotnet/releases/tag/v1.3.1
- https://github.com/amazon-ion/ion-dotnet
- https://osv.dev/vulnerability/GHSA-gm2p-wf5c-w3pj
- https://aws.amazon.com/security/security-bulletins/AWS-2025-009
- https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-gm2p-wf5c-w3pj
What are Similar Vulnerabilities to CVE-2025-3857?
Similar Vulnerabilities: CVE-2025-54575 , CVE-2024-41132 , CVE-2025-27598 , CVE-2024-2191 , CVE-2023-38843
