GHSA-8rfx-6mr3-5jh3
Denial of Service vulnerability in Newtonsoft.Json (NuGet)
What is GHSA-8rfx-6mr3-5jh3 About?
This Denial of Service vulnerability in Newtonsoft.Json before 13.0.1 allows attackers to trigger a StackOverflow exception by passing crafted data to the `JsonConvert.DeserializeObject` method. This can result in the denial of service for applications using the library. Exploitation is remote and unauthenticated, making it easy to perform.
Affected Software
Technical Details
The vulnerability stems from a mishandling of exceptional conditions within the JsonConvert.DeserializeObject method in Newtonsoft.Json. When specially crafted JSON data is supplied as input, the deserialization process enters a recursive state or an overly complex parsing path that exhausts the application's call stack, leading to a StackOverflow exception. This unhandled exception causes the application to crash or become unresponsive, resulting in a denial of service.
What is the Impact of GHSA-8rfx-6mr3-5jh3?
Successful exploitation may allow attackers to cause the affected application to become unresponsive or crash, leading to a denial of service for legitimate users.
What is the Exploitability of GHSA-8rfx-6mr3-5jh3?
Exploitation is of low complexity. An attacker can craft a malicious JSON payload and send it to an application endpoint that deserializes objects using JsonConvert.DeserializeObject. No authentication is required, enabling remote exploitation. The primary prerequisite is that the application must expose an endpoint that uses the vulnerable deserialization method. The ease of crafting JSON and transmitting it makes this vulnerability readily exploitable, especially if input validation is not robust.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-8rfx-6mr3-5jh3?
Available Upgrade Options
- Newtonsoft.Json
- <13.0.1 → Upgrade to 13.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://alephsecurity.com/vulns/aleph-2018004
- https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66
- https://osv.dev/vulnerability/GHSA-8rfx-6mr3-5jh3
- https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr
- https://alephsecurity.com/2018/10/22/StackOverflowException
- https://github.com/JamesNK/Newtonsoft.Json/pull/2462
- https://github.com/JamesNK/Newtonsoft.Json/issues/2457
- https://nvd.nist.gov/vuln/detail/CVE-2024-21907
- https://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678
- https://github.com/advisories/GHSA-5crp-9r3c-p9vr
What are Similar Vulnerabilities to GHSA-8rfx-6mr3-5jh3?
Similar Vulnerabilities: CVE-2024-30105 , CVE-2024-38095 , CVE-2025-27513 , CVE-2023-28491 , CVE-2022-26134
