Denial of service while reading data in Avro Rust SDK
Description
It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A maliciously crafted Avro data can cause an infinite loop in Rust applications, leading to CPU exhaustion. Patched in apache-avro 0.14.0.
Vulnerability
CVE-2022-35724 is a denial-of-service (DoS) vulnerability in the Apache Avro Rust SDK (formerly avro-rs), prior to version 0.14.0. The flaw allows an attacker to provide specially crafted Avro data that, when read by the library, causes the reader to loop indefinitely, consuming an unbounded amount of CPU resources [1]. The root cause is a lack of cycle detection when traversing the data schema or content, leading to an infinite recursive or iterative processing loop.
Exploitation
An attacker can exploit this vulnerability by supplying a malicious Avro file or stream to an application that uses the affected library to deserialize or read the data. No authentication is required if the application accepts untrusted input via a network service or file upload. The attack is purely server-side; the client or service performing the Avro read operation will hang or become unresponsive as it exhausts CPU time [1][2].
Impact
Successful exploitation results in a denial of service, as the affected process is unable to handle any further requests until it is forcibly terminated. This can lead to service disruption for applications that process Avro data from untrusted sources.
Mitigation
Users should upgrade to apache-avro version 0.14.0 or later, which includes a fix that adds cycle detection and prevents the infinite loop [1][2]. No workarounds are available for earlier versions; the only complete remediation is updating the library.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-avrocrates.io | < 0.14.0 | 0.14.0 |
Affected products
2- Apache Software Foundation/Apache Avrov5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v456-chpw-6mmwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35724ghsaADVISORY
- lists.apache.org/thread/771z1nwrpkn1ovmyfb2fm65mchdxgy7pghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.