CVE-2024-21907

HIGH

Newtonsoft.Json < 13.0.1 - Denial of Service via JsonConvert.DeserializeObject

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-21907. PoCs published by seal-sec-demo-2.

AI-analyzed exploit summary This repository contains a functional PoC demonstrating CVE-2024-21907, a DoS vulnerability in Newtonsoft.Json 12.0.2 caused by deep recursion during deserialization. The PoC includes a .NET 7 web application that processes user input through Newtonsoft.Json, triggering a StackOverflowException when deeply nested JSON is provided.

Description

Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.

Exploits (1)

github WORKING POC

by seal-sec-demo-2 · c#poc

https://github.com/seal-sec-demo-2/seal-security-nuget-demo-net7

View Code ZIP pw:eip

This repository contains a functional PoC demonstrating CVE-2024-21907, a DoS vulnerability in Newtonsoft.Json 12.0.2 caused by deep recursion during deserialization. The PoC includes a .NET 7 web application that processes user input through Newtonsoft.Json, triggering a StackOverflowException when deeply nested JSON is provided.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Newtonsoft.Json 12.0.2

No auth needed

Prerequisites: Newtonsoft.Json 12.0.2 · A web server to host the PoC application

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 16, 2026 Full analysis →

References (8)

Core 8

Core References

Exploit, Issue Tracking, Third Party Advisory issue-tracking

https://github.com/JamesNK/Newtonsoft.Json/issues/2457

View Patch ZIP pw:eip

Exploit, Third Party Advisory related

https://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678

Third Party Advisory third-party-advisory

https://github.com/advisories/GHSA-5crp-9r3c-p9vr

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr

Scores

CVSS v3 7.5

EPSS 0.3291

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-755

Status published

Products (2)

newtonsoft/json.net < 13.0.1

nuget/Newtonsoft.Json 0 - 13.0.1NuGet

Published Jan 03, 2024

Tracked Since Feb 18, 2026