Miggo Logo

CVE-2025-3857: Infinite loop condition in Amazon.IonDotnet

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.14712%
Published
4/21/2025
Updated
4/23/2025
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Amazon.IonDotnetnuget< 1.3.11.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions that the RawBinaryReader class is affected and that an infinite loop can occur when reading binary Ion data if it's malformed or truncated. The provided commit 34a4f5215eceac1bb7bf434c4f2310d64d1b703b shows a modification in the Amazon.IonDotnet/Internals/Binary/RawBinaryReader.cs file, specifically within the ReadAll method. The patch introduces a check for amount == 0 inside a while (length > 0) loop. If this.input.Read returns 0 (indicating end-of-stream or no data read) while length is still positive, the original code would loop infinitely because length would not decrease. The added check throws an UnexpectedEofException, preventing the infinite loop. Therefore, the ReadAll method is the vulnerable function as it contained the logic susceptible to the infinite loop under specific input conditions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry [*m*zon.Ion*otn*t (ion-*otn*t)](*ttps://*it*u*.*om/*m*zon-ion/ion-*otn*t) is * .N*T li*r*ry wit* *n impl*m*nt*tion o* t** [Ion **t* s*ri*liz*tion *orm*t](*ttps://*m*zon-ion.*it*u*.io/ion-*o*s/). *n issu* *xists in *m*zon.Ion*otn*t *n* t*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions t**t t** `R*w*in*ryR****r` *l*ss is *****t** *n* t**t *n in*init* loop **n o**ur w**n r***in* *in*ry Ion **t* i* it's m*l*orm** or trun**t**. T** provi*** *ommit `*************************************