CVE-2024-21907
published 2024-01-03CVE-2024-21907: Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the…
PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
32.91%
98.1th percentile
Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | microsoft_sql_server_2016_for_x64-based_systems_service_pack_3 | — | — |
| msrc | microsoft_sql_server_2016_for_x64-based_systems_service_pack_3_azure_connect_fea | — | — |
| msrc | microsoft_sql_server_2017_for_x64-based_systems | — | — |
| msrc | microsoft_sql_server_2019_for_x64-based_systems | — | — |
| newtonsoft | json.net | < 13.0.1 | 13.0.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-21907: Newtonsoft
osv·2024-01-03·CVSS 7.5
CVE-2024-21907 [HIGH] CVE-2024-21907: Newtonsoft
Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.
GHSA
Improper Handling of Exceptional Conditions in Newtonsoft.Json
ghsa·2022-06-22
CVE-2024-21907 [HIGH] CWE-755 Improper Handling of Exceptional Conditions in Newtonsoft.Json
Improper Handling of Exceptional Conditions in Newtonsoft.Json
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS).
The serialization and deserialization path have different properties regarding the issue.
Deserializing methods (like `JsonConvert.DeserializeObject`) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of `{a:{a:{...` input) is needed to achieve the latency over 10 seconds, depending on the hardware.
Serializing methods (like `JsonConvert.Serialize` or `JObje
OSV
Improper Handling of Exceptional Conditions in Newtonsoft.Json
osv·2022-06-22
CVE-2024-21907 [HIGH] Improper Handling of Exceptional Conditions in Newtonsoft.Json
Improper Handling of Exceptional Conditions in Newtonsoft.Json
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS).
The serialization and deserialization path have different properties regarding the issue.
Deserializing methods (like `JsonConvert.DeserializeObject`) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of `{a:{a:{...` input) is needed to achieve the latency over 10 seconds, depending on the hardware.
Serializing methods (like `JsonConvert.Serialize` or `JObje
Microsoft
VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
vendor_msrc·2025-09-09·CVSS 7.5
CVE-2024-21907 [HIGH] CWE-1395 VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
Description: CVE-2024-21907 addresses a mishandling of exceptional conditions vulnerability in Newtonsoft.Json before version 13.0.1. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition. The documented SQL Server updates incorporate updates in Newtonsoft.Json which address this vulnerability.
Please see CVE-2024-21907 for more information.
FAQ: I am running SQL Server on my system. What action do I need to take?
Update your relevant version of SQL Server. Any applicable driver fixes
No detection rules found.
No public exploits indexed.
Checkpoint
15th September – Threat Intelligence Report
blogs_checkpoint·2025-09-15
CVE-2025-55234 15th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Panama’s Ministry of Economy and Finance (MEF) was hit by a ransomware attack that resulted in the theft of more than 1.5TB of data, including emails, financial documents, and budgeting details. The compromised information exposes sensitive institutional records tied to the country’s fiscal operations and management.
Bleepingcomputer
Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
blogs_bleepingcomputer·2025-09-09·CVSS 8.8
[HIGH] Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Lawrence Abrams
41 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
22 Remote Code Execution Vulnerabilities
16 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
1 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released on Patch Tuesday.
Therefore, the number of flaws does not include three Azure, one Dynamics 365 FastTrack Implementation Assets, two Mariner, five Microsoft Edge, and 1 Xbox vulnerabilities fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5065426 & KB5065431 cumulative updat
Qualys
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review
blogs_qualys·2025-09-09
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for September 2025
Adobe Patches for September 2025
Zero-day Vulnerabilities Patched in September Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response with TruRisk Eliminate
Automating Risk Elimination and Accelerating Response: Meet Agent Sara
EVALUATE Vendor-Suggested Mitigation withPolicy Audit
Qualys Monthly Webinar Series
It’s the second Tuesday of September, and Microsoft has rolled out its latest security updates. Microsoft’s September 2025 Patch Tuesday has arrived, bringing a fresh wave of security fixes
Qualys
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review | Qualys
blogs_qualys·2025-09-09
Microsoft and Adobe Patch Tuesday, September 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for September 2025
- Adobe Patches for September 2025
- Zero-day Vulnerabilities Patched in September Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response with TruRisk Eliminate
- Automating Risk Elimination and Accelerating Response: Meet Agent Sara
- EVALUATE Vendor-Suggested Mitigation withPolicy Audit
- Qualys Monthly Webinar Series
It’s the second Tuesday of September, and Microsoft has rolled out its latest security updates. Microsoft’s September 2025 Patch Tuesday has arrived, bringing a fresh wave of s
Crowdstrike
September 2025 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] September 2025 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
https://alephsecurity.com/2018/10/22/StackOverflowException/https://alephsecurity.com/vulns/aleph-2018004https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66https://github.com/JamesNK/Newtonsoft.Json/issues/2457https://github.com/JamesNK/Newtonsoft.Json/pull/2462https://github.com/advisories/GHSA-5crp-9r3c-p9vrhttps://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vrhttps://alephsecurity.com/2018/10/22/StackOverflowException/https://alephsecurity.com/vulns/aleph-2018004https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66https://github.com/JamesNK/Newtonsoft.Json/issues/2457https://github.com/JamesNK/Newtonsoft.Json/pull/2462https://github.com/advisories/GHSA-5crp-9r3c-p9vrhttps://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr
2024-01-03
Published