CVE-2024-21907 Overview
CVE-2024-21907 is a Denial of Service vulnerability affecting Newtonsoft.Json, one of the most widely-used JSON serialization libraries in the .NET ecosystem. The vulnerability stems from improper handling of exceptional conditions when processing deeply nested JSON structures. Crafted data passed to the JsonConvert.DeserializeObject method can trigger a StackOverflow exception, resulting in denial of service. Due to the network-accessible nature of many applications using this library, unauthenticated remote attackers may be able to exploit this vulnerability to cause service disruption.
Critical Impact
Remote attackers can crash .NET applications using vulnerable versions of Newtonsoft.Json by sending specially crafted deeply-nested JSON payloads, causing stack exhaustion and service unavailability.
Affected Products
- Newtonsoft Json.NET versions prior to 13.0.1
- Applications and services utilizing vulnerable Newtonsoft.Json NuGet packages
- .NET applications processing untrusted JSON input without depth limits
Discovery Timeline
- 2024-01-03 - CVE-2024-21907 published to NVD
- 2025-11-28 - Last updated in NVD database
Technical Details for CVE-2024-21907
Vulnerability Analysis
This vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions). The core issue lies in how Newtonsoft.Json handles deeply nested JSON structures during deserialization. Prior to version 13.0.1, the library did not enforce a default maximum depth limit when parsing JSON data. This architectural decision meant that maliciously crafted JSON with excessive nesting levels could consume stack space recursively until the application's stack is exhausted, triggering a StackOverflowException.
The vulnerability is particularly dangerous because StackOverflowException in .NET is a fatal exception that cannot be caught or handled by application code, causing immediate process termination. This makes it an effective vector for denial of service attacks against web APIs, microservices, and any application that deserializes JSON from untrusted sources.
Root Cause
The root cause is the absence of a default maximum depth constraint in the JsonReader and JsonSerializer classes. When processing JSON input, the library recursively parses nested objects and arrays. Without depth limits, an attacker can craft JSON with thousands of nested levels, causing the parser to make an equivalent number of recursive calls. Each recursive call consumes stack memory, and when the stack is exhausted, the runtime throws an unrecoverable StackOverflowException.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a malicious HTTP request containing deeply nested JSON to any endpoint that deserializes JSON using vulnerable versions of Newtonsoft.Json. The attack payload is straightforward to construct—simply generate JSON with excessive nesting depth such as {"a":{"a":{"a":...}}} repeated thousands of times.
// Security patch in Src/Newtonsoft.Json/JsonReader.cs
// Change JsonReader and JsonSerializer default max depth to 128 (#2462)
/// <summary>
/// Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a <see cref="JsonReaderException"/>.
+ /// A null value means there is no maximum.
+ /// The default value is <c>128</c>.
/// </summary>
public int? MaxDepth
{
Source: GitHub Commit Reference
// Security patch in Src/Newtonsoft.Json/JsonSerializer.cs
// Change JsonReader and JsonSerializer default max depth to 128 (#2462)
/// <summary>
/// Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a <see cref="JsonReaderException"/>.
/// A null value means there is no maximum.
- /// The default value is <c>null</c>.
+ /// The default value is <c>128</c>.
/// </summary>
public virtual int? MaxDepth
{
Source: GitHub Commit Reference
Detection Methods for CVE-2024-21907
Indicators of Compromise
- Application crashes with StackOverflowException in JSON parsing routines
- Unusual HTTP requests containing extremely large JSON payloads with deep nesting
- Process terminations in services handling JSON deserialization without corresponding application errors in logs
- Repeated service restarts correlated with specific API endpoint requests
Detection Strategies
- Implement software composition analysis (SCA) to identify Newtonsoft.Json versions below 13.0.1 in your dependency tree
- Monitor application crash dumps for stack traces indicating recursive calls in Newtonsoft.Json namespace
- Use web application firewalls (WAF) to detect and block JSON payloads with excessive nesting depth
- Audit NuGet package references across all .NET projects using dotnet list package --vulnerable
Monitoring Recommendations
- Configure application performance monitoring (APM) to alert on sudden process terminations
- Implement request body size limits at the load balancer and API gateway level
- Set up log aggregation to correlate service crashes with incoming request patterns
- Monitor memory and CPU utilization for signs of resource exhaustion attacks
How to Mitigate CVE-2024-21907
Immediate Actions Required
- Upgrade Newtonsoft.Json to version 13.0.1 or later immediately across all affected applications
- If immediate upgrade is not possible, explicitly configure MaxDepth property on JsonSerializerSettings to a safe value
- Review all entry points that accept JSON input from untrusted sources
- Deploy updated applications to production with proper testing validation
Patch Information
The fix was implemented in GitHub Pull Request #2462, which changes the default MaxDepth value from null (unlimited) to 128 in both JsonReader and JsonSerializer classes. This ensures that even applications that do not explicitly configure depth limits are protected by a reasonable default. The patched version is available via NuGet as Newtonsoft.Json 13.0.1 and later. For detailed technical analysis, see the GitHub Security Advisory and Snyk Vulnerability Report.
Workarounds
- For applications that cannot be upgraded immediately, configure JsonSerializerSettings with an explicit MaxDepth value
- Implement input validation at the API layer to reject JSON payloads exceeding reasonable size or complexity thresholds
- Use middleware to enforce request body size limits before JSON parsing occurs
- Consider implementing custom JSON parsing with iterative (non-recursive) algorithms for high-risk endpoints
# Configuration example - Set explicit MaxDepth to prevent stack overflow
var settings = new JsonSerializerSettings
{
MaxDepth = 64 // Adjust based on your application's requirements
};
var result = JsonConvert.DeserializeObject<MyType>(jsonInput, settings);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
