.NET and Visual Studio Denial of Service Vulnerability
Description
.NET and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in System.Text.Json affects .NET applications using [ExtensionData] property, exploitable via crafted JSON input.
Vulnerability
Details
CVE-2024-43485 is an algorithmic complexity vulnerability in the System.Text.Json library, affecting .NET 6.0.x and 8.0.x. The flaw resides in the deserialization of JSON input into models that include an [ExtensionData] property. When processing specially crafted JSON payloads, the library can be forced into excessive computational work, leading to a denial of service condition [1][2][3].
Exploitation
An attacker can exploit this vulnerability by sending a malicious JSON payload to an application that deserializes it into a model with an [ExtensionData] property. No authentication is required if the endpoint is publicly accessible. The attack does not require any special network position beyond the ability to send HTTP requests to the target service [1][2][3].
Impact
Successful exploitation results in a denial of service, causing the affected application to become unresponsive or crash. This can disrupt service availability for legitimate users. The impact is limited to applications that use the [ExtensionData] feature; models without this property are not vulnerable [1][2][3].
Mitigation
Microsoft has released patches for the affected packages. Users should update to .NET 8.0.9 or later, .NET 6.0.34 or later, or update the System.Text.Json package to version 8.0.5 (for .NET 8) or 6.0.10 (for .NET 6). Visual Studio users will be prompted to update. No workarounds are available for vulnerable configurations [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Text.JsonNuGet | >= 8.0.0, < 8.0.5 | 8.0.5 |
System.Text.JsonNuGet | >= 6.0.0, < 6.0.10 | 6.0.10 |
Affected products
36- osv-coords27 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/system.text.jsonpkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 6.0.0, < 6.0.35+ 26 more
- (no CPE)range: >= 6.0.0, < 6.0.35
- (no CPE)range: >= 6.0.0, < 6.0.35
- (no CPE)range: >= 8.0.0, < 8.0.5
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.11v5Range: 17.11
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/PowerShell 7.2v5Range: 7.2.0
- Microsoft/PowerShell 7.4v5Range: 7.4.0
- Microsoft/PowerShell 7.5v5Range: 7.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-8g4q-xg66-9fp4ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43485ghsaADVISORY
- github.com/dotnet/announcements/issues/329ghsaWEB
- github.com/dotnet/runtime/issues/108678ghsaWEB
- github.com/dotnet/runtime/security/advisories/GHSA-8g4q-xg66-9fp4ghsaWEB
News mentions
0No linked articles in our index yet.