Skip to content

CG alert on Newtonsoft.Json 13.0.1 #3350

New issue
New issue
Open
1 of 1 issue completed
Open
CG alert on Newtonsoft.Json 13.0.1#3350
1 of 1 issue completed
Labels
P1More important, prioritize highly
@MichaelSimons

Description

@MichaelSimons
MichaelSimons
opened on Oct 13, 2025

.NET source builds, which include building azure-activedirectory-identitymodel-extensions-for-dotnet, are failing CG checks with the following:

CVE-2024-21907

Description
Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.

Location
/src/externalPackages/src/azure-activedirectory-identitymodel-extensions-for-dotnet/build/cgmanifest.json

This may a new alert caused by new detection logic in CG.

The cgmanifest file references Newtonsoft.Json 13.0.1 as a component. This appears out of date as the actual version referenced by the source appears newer.

Is it even necessary to call out this component in the manifest? Won't it get detected via the nuget package references the projects have?

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1More important, prioritize highly

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions