Vulnerability in Newtonsoft.Json Affects Denial of Service
CVE-2024-21907

7.5HIGH

Key Information:

Status
Vendor: CVE Published:; 3 January 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-21907?

Prior to version 13.0.1, Newtonsoft.Json is susceptible to a vulnerability related to improper handling of exceptional conditions. An unauthenticated remote attacker can exploit the JsonConvert.DeserializeObject method by passing carefully crafted data, potentially leading to a StackOverflow exception. This condition could disrupt service, creating a denial of service scenario based on the library's implementation. Developers utilizing this library should review their code to ensure they are using the latest version that patches this vulnerability.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

seal-security-nuget-demo-net7
Created by seal-sec-demo-2

References

https://github.com/JamesNK/Newtonsoft.Json/issues/2457

issue-tracking

https://github.com/JamesNK/Newtonsoft.Json/pull/2462

https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 16, 2026
👾
Exploit known to exist
May 16, 2026
Vulnerability published
Jan 3, 2024

CVE-2024-21907 Data

JSON