Amazon.IonDotnet is vulnerable to Denial of Service attacks

Amazon.IonDotnet is a library for the Dotnet language that is used to read and write Amazon Ion data. An issue exists where, under certain circumstances, the library could an infinite loop, resulting in denial of service. As of August 20, 2025, this library has been deprecated and will not receiv...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop via the RawBinaryReader class. This is due to a missing check of the number of bytes read from the underlying stream while deserializing the binary format when reading binary Ion data. Remediation Upgrade Amazon.IonDotnet ...

CVE-2025-3857

Summary: A vulnerability in Amazon.IonDotnet’s RawBinaryReader can cause an infinite loop when reading binary Ion data if the input is malformed or truncated, due to not checking the number of bytes read from the underlying stream. This could lead to denial of service. Affected versions: Amazon.I...

CVE-2024-21634

A vulnerability was found in Amazon Ion, an implementation of Ion data notation. Ion-java may be affected by denial of service DoS due to issues while deserializing encoded data into IonValue. A maliciously crafted Ion data structure may be processed and cause a StackOverflowError, leaving the...

CVE-2024-21634 Ion Java StackOverflow vulnerability

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in ion-java for applications that use ion-java to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the IonValue model and then...