CVE-2025-3857

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-3857

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3857.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-3857

Aliases

GHSA-gm2p-wf5c-w3pj

Published

2025-04-21T16:15:54.907Z

Modified

2025-11-20T12:36:08.394172Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition that could potentially result in a denial of service. Users should upgrade to Amazon.IonDotnet version 1.3.1 and ensure any forked or derivative code is patched to incorporate the new fixes.

References

Affected packages

Git / github.com/amazon-ion/ion-dotnet

Affected ranges

Type: GIT
Repo: https://github.com/amazon-ion/ion-dotnet
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9d416b56e230a39b9ce1c36f90fc1b841f5ff9bf

Affected versions

v0.*

v0.9.0

v0.9.0-beta

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3857.json"