AIKIDO-2024-10483
Hangfire.Core is vulnerable to Improper Handling of Exceptional Conditions
75
High Risk
This Affects:
Hangfire.CoreTL;DR
Affected versions of this package use a vulnerable version of the Newtonsoft.Json library, specifically versions prior to 13.0.1. These versions are impacted by CVE-2024-21907, which stems from insecure defaults in handling deeply nested expressions. This can lead to a StackOverflowException or excessive CPU and memory consumption, resulting in a Denial of Service (DoS). Attackers can exploit this vulnerability by providing input with high nesting levels, overwhelming system resources and causing the application to crash or become unresponsive. However, the risk can be mitigated by manually configuring the MaxDepth property in JsonSerializerSettings to limit the depth of nested objects during serialization, which is done for Hangfire.Core in the patch version.
Who does this affect?
You are affected if you are using a version which is within vulnerability ranges
Background info
Hangfire.Core is vulnerable to Improper Handling of Exceptional Conditions in versions 0.5 - 1.8.15.
How to fix this
Upgrade the Hangfire.Core library to the patch version.
Links
CVE Detail
GitHub Release
Fix PR
Related Issue
Other
alephsecurity.com/2018/10/22/StackOverflowException/alephsecurity.com/vulns/aleph-2018004security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant