.NET and Visual Studio Denial of Service Vulnerability
Description
.NET and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability exists in .NET when deserializing untrusted input with System.Text.Json's JsonSerializer.DeserializeAsyncEnumerable method.
Vulnerability
Overview
CVE-2024-30105 is a denial of service (DoS) vulnerability in .NET 8.0, specifically within the System.Text.Json package. The flaw is triggered when calling the JsonSerializer.DeserializeAsyncEnumerable method against untrusted input, leading to excessive resource consumption and ultimately a denial of service [1]. The root cause lies in how the deserializer handles certain crafted payloads during asynchronous enumeration, causing unbounded memory or CPU usage.
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted JSON input to a .NET application that uses the affected DeserializeAsyncEnumerable method. No authentication is required if the vulnerable endpoint is publicly accessible; the only prerequisite is that the application deserializes untrusted data using the affected API surface. The attack can be conducted over the network, making it remotely exploitable without any special privileges [2].
Impact
Successful exploitation leads to a denial of service condition, rendering the targeted .NET application unresponsive. The impact is limited to availability; there is no risk of data compromise or privilege escalation based on the advisory [1][2].
Mitigation
Microsoft has released a patched version of the affected package: System.Text.Json version 8.0.4 (for .NET 8.0). Developers should upgrade their applications to .NET 8.0.7 or later, which includes the fix. There are no known workarounds for this vulnerability [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Text.JsonNuGet | >= 7.0.0, < 8.0.4 | 8.0.4 |
Affected products
44- osv-coords38 versionspkg:apk/chainguard/aspnet-8-runtimepkg:apk/chainguard/aspnet-8-runtime-defaultpkg:apk/chainguard/aspnet-8-targeting-packpkg:apk/chainguard/dotnet-8pkg:apk/chainguard/dotnet-8-runtimepkg:apk/chainguard/dotnet-8-runtime-defaultpkg:apk/chainguard/dotnet-8-sdkpkg:apk/chainguard/dotnet-8-sdk-defaultpkg:apk/chainguard/dotnet-8-targeting-packpkg:apk/chainguard/netstandard-8-targeting-packpkg:apk/wolfi/aspnet-8-runtimepkg:apk/wolfi/aspnet-8-runtime-defaultpkg:apk/wolfi/aspnet-8-targeting-packpkg:apk/wolfi/dotnet-8pkg:apk/wolfi/dotnet-8-runtimepkg:apk/wolfi/dotnet-8-runtime-defaultpkg:apk/wolfi/dotnet-8-sdkpkg:apk/wolfi/dotnet-8-sdk-defaultpkg:apk/wolfi/dotnet-8-targeting-packpkg:apk/wolfi/netstandard-8-targeting-packpkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/system.text.jsonpkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 8.0.7-r0+ 37 more
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: < 8.0.7-r0
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 7.0.0, < 8.0.4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.107-1.el8_10
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.107-1.el9_4
- (no CPE)range: < 8.0.107-1.el9_4
- (no CPE)range: < 8.0.107-1.el9_4
- (no CPE)range: < 8.0.7-1.el9_4
- (no CPE)range: < 8.0.107-1.el9_4
- (no CPE)range: < 8.0.107-1.el9_4
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.4v5Range: 17.4.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0
- Microsoft/PowerShell 7.4v5Range: 7.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hh2w-p6rv-4g7wghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30105ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-30105ghsaADVISORY
- github.com/dotnet/runtime/security/advisories/GHSA-hh2w-p6rv-4g7wghsaWEB
News mentions
0No linked articles in our index yet.