CVE-2024-21907: 
C# vulnerability analysis and mitigation

CVE-2024-21907 affects Newtonsoft.Json versions prior to 13.0.1, discovered and reported in 2018. This vulnerability is related to a mishandling of exceptional conditions where crafted data passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. The vulnerability received a CVSS v3.1 base score of 7.5 (High) (NVD, GitHub Advisory).

The vulnerability stems from improper handling of expressions with high nesting levels in JSON processing. Deserializing methods will process deeply nested input resulting in high CPU and RAM usage, requiring approximately 10,000 levels of nesting (9.5MB of nested input) to achieve latency over 10 seconds. Serializing methods will throw a StackOverflow exception with a nesting level of around 20,000. The vulnerability is classified as CWE-755: Improper Handling of Exceptional Conditions (Snyk, Aleph Security).

The vulnerability can lead to Denial of Service (DoS) conditions. When exploited, it can cause process termination due to StackOverflow exceptions or resource exhaustion through high CPU and RAM consumption. This affects any application using the vulnerable versions of Newtonsoft.Json, with particular severity in IIS-hosted applications where the process termination behavior can lead to application pool shutdown (GitHub Advisory).

The primary mitigation is to upgrade Newtonsoft.Json to version 13.0.1 or higher. Alternatively, users can set the MaxDepth parameter in JsonSerializerSettings to limit nested processing. This can be implemented globally using: JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 }. Version 13.0.1 sets this limit by default (GitHub Commit).