CVE-2025-11573: Amazon.IonDotnet is vulnerable to Denial of Service attacks

The vulnerability is a Denial of Service in the Amazon.IonDotnet library, caused by infinite loops when parsing malformed Ion text. The root cause is the improper handling of unexpected End-Of-File (EOF) conditions within parsing functions for blobs and various string types.

The analysis of the patch commit edaff75fe5abbb71e647bed812c608c0c5e2fbab reveals that the file Amazon.IonDotnet/Internals/Text/TextScanner.cs was modified to fix these issues. The changes consistently involve adding or correcting EOF checks inside while(true) loops within functions responsible for parsing or skipping over specific Ion data types.

Specifically, the functions LoadBlob, SkipOverBlob, SkipTripleQuotedString, SkipSingleQuotedString, and SkipDoubleQuotedString were modified. Before the patch, if a specially crafted input caused a premature end to the data (e.g., an unterminated string or blob), the parsing loops in these functions would fail to terminate. The ReadChar() method would continuously return an EOF indicator, but the loop's exit condition would never be met, leading to 100% CPU utilization.

The patch addresses this by ensuring that an UnexpectedEofException is thrown whenever an EOF is encountered in an invalid position. This is achieved by replacing incorrect EOF constants and adding explicit checks after reading from the input stream, especially in edge cases like after an escape character. The identified functions are precisely where this faulty logic existed, and they would appear in a profiler's stack trace during an exploit.