CVE-2024-21907 – Newtonsoft.Json versions before 13.0.1 contain ... (How to Fix)

Q: What is the severity of CVE-2024-21907?

CVE-2024-21907 has a CVSS score of 7.5 (HIGH). Newtonsoft.Json versions before 13.0.1 contain a vulnerability where specially crafted JSON data can trigger a StackOverflowException when deserialized, causing denial of service. This affects any application using vulnerable versions of the library for JSON parsing. Remote, unauthenticated attackers could potentially crash applications by sending malicious JSON payloads.

📋 TL;DR

Newtonsoft.Json versions before 13.0.1 contain a vulnerability where specially crafted JSON data can trigger a StackOverflowException when deserialized, causing denial of service. This affects any application using vulnerable versions of the library for JSON parsing. Remote, unauthenticated attackers could potentially crash applications by sending malicious JSON payloads.

💻 Affected Systems

Products:

Newtonsoft.Json (Json.NET)
Any application using Newtonsoft.Json library

Versions: All versions before 13.0.1

Operating Systems: All platforms where Newtonsoft.Json runs (Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when using JsonConvert.DeserializeObject method.

📦 What is this software?

Json.net by Newtonsoft

View all CVEs affecting Json.net →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash and denial of service for all users, potentially requiring manual restart of affected services.

🟠

Likely Case

Application crashes when processing malicious JSON input, causing temporary service disruption until automatic or manual recovery.

🟢

If Mitigated

Minimal impact with proper input validation and updated library versions preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted JSON data to applications that deserialize untrusted input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.0.1 and later

Vendor Advisory: https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66

Restart Required: Yes

Instructions:

1. Update Newtonsoft.Json NuGet package to version 13.0.1 or later. 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.

🔧 Temporary Workarounds

Input Validation and Size Limits

all

Implement input validation and size limits on JSON data before deserialization

WAF/Proxy Protection

all

Configure web application firewalls or reverse proxies to block or limit large JSON payloads

🧯 If You Can't Patch

Implement strict input validation to reject malformed JSON before deserialization
Deploy rate limiting and request size limits to prevent exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Newtonsoft.Json assembly version in application dependencies or NuGet package references

Check Version:

For .NET applications: check packages.config or .csproj file for Newtonsoft.Json package version

Verify Fix Applied:

Verify Newtonsoft.Json version is 13.0.1 or higher in application dependencies

📡 Detection & Monitoring

Log Indicators:

StackOverflowException in application logs
Application crash/restart events
Unusually large JSON payloads in request logs

Network Indicators:

Large JSON payloads to deserialization endpoints
Repeated crash/restart patterns

SIEM Query:

source="application_logs" AND ("StackOverflowException" OR "Newtonsoft.Json" AND "crash")

📊 Metadata

CVE ID: CVE-2024-21907

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-755

Published: January 3, 2024

Last Updated: November 28, 2025

🔗 References

https://alephsecurity.com/2018/10/22/StackOverflowException/ Exploit
https://alephsecurity.com/vulns/aleph-2018004 Exploit
https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66 Patch
https://github.com/JamesNK/Newtonsoft.Json/issues/2457 Exploit,Issue Tracking,Third Party Advisory
https://github.com/JamesNK/Newtonsoft.Json/pull/2462 Patch
https://github.com/advisories/GHSA-5crp-9r3c-p9vr Third Party Advisory
https://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678 Exploit,Third Party Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr Third Party Advisory
https://alephsecurity.com/2018/10/22/StackOverflowException/ Exploit
https://alephsecurity.com/vulns/aleph-2018004 Exploit
https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66 Patch
https://github.com/JamesNK/Newtonsoft.Json/issues/2457 Exploit,Issue Tracking,Third Party Advisory
https://github.com/JamesNK/Newtonsoft.Json/pull/2462 Patch
https://github.com/advisories/GHSA-5crp-9r3c-p9vr Third Party Advisory
https://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678 Exploit,Third Party Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21907, you might also want to check these: