CVE-2024-58264 Overview
CVE-2024-58264 affects the serde-json-wasm crate for Rust before version 1.0.1. The crate allows stack consumption when parsing deeply nested JSON data, leading to a denial-of-service condition. The flaw stems from unbounded recursion in the JSON deserialization logic, which exhausts the thread stack when input nesting exceeds available space. Because serde-json-wasm is widely used in CosmWasm smart contracts and WebAssembly environments, attackers can submit crafted JSON payloads to trigger process termination. The vulnerability is tracked as [CWE-674] (Uncontrolled Recursion) and [CWE-787] (Out-of-bounds Write).
Critical Impact
Remote attackers can crash applications processing untrusted JSON input by sending deeply nested structures, producing availability loss without authentication.
Affected Products
- cosmwasm/serde-json-wasm versions prior to 1.0.1
- Rust applications using serde-json-wasm for WebAssembly JSON parsing
- CosmWasm smart contracts depending on vulnerable versions of the crate
Discovery Timeline
- 2025-07-27 - CVE-2024-58264 published to the National Vulnerability Database
- 2025-08-06 - Last updated in NVD database
Technical Details for CVE-2024-58264
Vulnerability Analysis
The serde-json-wasm crate provides a no_std-compatible JSON serializer and deserializer used in WebAssembly contexts, including CosmWasm smart contracts. The deserializer parses nested JSON arrays and objects using recursive function calls. Each level of nesting consumes additional stack frames. The crate does not impose a recursion depth limit before version 1.0.1. An attacker supplying JSON with thousands of nested brackets exhausts the available stack space, causing the host thread to abort.
The denial-of-service impact is significant in blockchain and serverless contexts where a single panic can halt contract execution or reject blocks. Exploitation requires no authentication and no user interaction. The attack vector is network-based wherever the crate processes externally supplied JSON.
Root Cause
The root cause is uncontrolled recursion in the deserialization routines for nested structures. The parser descends into each array element and object value through direct recursive calls. Without a configured maximum depth, input size alone determines stack usage. The fix in version 1.0.1 introduces depth tracking and aborts parsing before the stack is exhausted.
Attack Vector
An attacker submits a JSON payload consisting of repeated opening brackets such as [[[[[...]]]]] to any endpoint, contract entry point, or message handler that deserializes user-controlled JSON with serde-json-wasm. The number of nesting levels required to crash the process depends on the host's configured stack size, but values in the low thousands are typically sufficient. The vulnerability cannot be used to achieve code execution or data disclosure but reliably causes service termination.
No verified public proof-of-concept exploit is available. See the RustSec Advisory RUSTSEC-2024-0012 and the GitHub Security Advisory GHSA-rr69-rxr6-8qwf for further technical detail.
Detection Methods for CVE-2024-58264
Indicators of Compromise
- Application crashes or thread aborts correlated with inbound JSON payloads containing extreme nesting depths
- Repeated process restarts on services exposing JSON-based APIs to untrusted networks
- CosmWasm contract execution failures triggered by message payloads with abnormal structure
Detection Strategies
- Inventory Rust projects and Cargo lockfiles for serde-json-wasm versions earlier than 1.0.1 using cargo audit against the RustSec advisory database
- Inspect HTTP and RPC request bodies for JSON payloads with nesting depth above documented application limits
- Correlate stack overflow signals (SIGSEGV, thread aborts) in service logs with timestamps of inbound JSON traffic
Monitoring Recommendations
- Enable structured logging of JSON parser failures, including payload size and nesting metrics, to support post-incident review
- Monitor service availability metrics on endpoints that consume JSON from untrusted sources
- Track dependency advisories from RustSec and GitHub Security Advisories for serde-json-wasm and transitive consumers
How to Mitigate CVE-2024-58264
Immediate Actions Required
- Upgrade serde-json-wasm to version 1.0.1 or later in all Cargo.toml manifests and rebuild affected binaries and WebAssembly modules
- Run cargo update -p serde-json-wasm and verify the resolved version in Cargo.lock
- Redeploy CosmWasm smart contracts compiled against the patched crate version
Patch Information
The maintainers released serde-json-wasm version 1.0.1, which adds a recursion depth limit to the deserializer. Refer to the crates.io listing for serde-json-wasm for release artifacts and the RustSec Advisory RUSTSEC-2024-0012 for advisory metadata.
Workarounds
- Validate and reject JSON inputs exceeding a documented maximum size before passing them to the deserializer
- Apply upstream input filtering at API gateways or proxy layers to drop payloads with excessive nesting
- Run JSON parsing in a thread with a larger stack as a temporary buffer while patching, recognizing this only raises the exploit threshold
# Configuration example
cargo update -p serde-json-wasm --precise 1.0.1
cargo audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
