CVE-2025-3857: 
C# vulnerability analysis and mitigation

CVE-2025-3857 is a security vulnerability discovered in Amazon.IonDotnet, a .NET library implementing the Ion data serialization format. The vulnerability was disclosed on April 21, 2025, affecting versions 1.3.0 and earlier of the Amazon.IonDotnet library. The issue occurs in the RawBinaryReader class when processing binary Ion data, where the library fails to verify the number of bytes read from the underlying stream during binary format deserialization (AWS Bulletin, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and a CVSS v4.0 score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is associated with CWE-502 (Deserialization of Untrusted Data) and CWE-835 (Loop with Unreachable Exit Condition) (NVD, GitHub Advisory).

When exploited, this vulnerability can trigger an infinite loop condition during the processing of malformed or truncated Ion data, potentially resulting in a denial of service (DoS) attack. The high availability impact is reflected in the CVSS scores, while confidentiality and integrity remain unaffected (AWS Bulletin, GitHub Advisory).

Amazon has released version 1.3.1 of Amazon.IonDotnet to address this vulnerability. Users are strongly recommended to upgrade to this version, and ensure any forked or derivative code incorporates the new fixes. No alternative workarounds are available (AWS Bulletin).

The vulnerability was responsibly disclosed through a coordinated vulnerability disclosure process, with credit given to Symbotic for their collaboration in identifying and addressing the issue (GitHub Advisory).