CVE-2025-3857

HIGH

Nuget Amazon.iondotnet < 1.3.1 - Insecure Deserialization

Title source: rule

Description

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition that could potentially result in a denial of service. Users should upgrade to Amazon.IonDotnet version 1.3.1 and ensure any forked or derivative code is patched to incorporate the new fixes.

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/AWS-2025-009/

[Vendor Advisory] https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-gm2p-wf5c-w3pj

[Release Notes] https://github.com/amazon-ion/ion-dotnet/releases/tag/v1.3.1

Scores

CVSS v3 7.5

EPSS 0.0016

EPSS Percentile 36.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-502 CWE-835

Status published

Products (2)

Amazon/Amazon Ion Dotnet < 1.3.1

nuget/Amazon.IonDotnet 0 - 1.3.1NuGet

Published Apr 21, 2025

Tracked Since Feb 18, 2026