Denial of Service Vulnerability in Amazon.IonDotnet by Amazon
CVE-2025-3857

8.7HIGH

Key Information:

Vendor: Amazon
Status: Amazon Ion Dotnet
Vendor: CVE Published:; 21 April 2025

What is CVE-2025-3857?

The vulnerability arises in Amazon.IonDotnet's RawBinaryReader class, which lacks proper checks on the byte count when reading binary Ion data from the underlying stream. In cases where the Ion data is malformed or truncated, this oversight can lead to an infinite loop condition. As a result, the affected system may experience a denial of service. Users are advised to upgrade to Amazon.IonDotnet version 1.3.1 and ensure that any forked or derivative versions are also updated to mitigate this issue.

Affected Version(s)

Amazon Ion Dotnet 0 < 1.3.1

References

https://aws.amazon.com/security/security-bulletins/AWS-20...

vendor-advisory

https://github.com/amazon-ion/ion-dotnet/security/advisor...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 21, 2025
Vulnerability Reserved
Apr 21, 2025