Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consuming older version of NewtonSoft.Json (9.0.1) vulnerable to a Denial of Service (DoS) attack. Please update it to latest 13.0.1 version available. #576

Open
GSDevgun opened this issue Jan 5, 2022 · 6 comments
Open

Consuming older version of NewtonSoft.Json (9.0.1) vulnerable to a Denial of Service (DoS) attack. Please update it to latest 13.0.1 version available. #576

GSDevgun opened this issue Jan 5, 2022 · 6 comments

Comments

@GSDevgun
Copy link

GSDevgun commented Jan 5, 2022

Installed product versions

  • Visual Studio: 2019

Description

BundlerMinifier consuming older version of NewtonSoft.Json (9.0.1) which is vulnerable to a Denial of Service (DoS) attack. Please update it to latest 13.0.1 version available.

Issue being raised during Sonatpe scanning.

Explanation: The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.

Detection: The application is vulnerable by using this component.

Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
@gluip
Copy link

gluip commented Oct 3, 2022

Any updates on this? This issue is also popping up when using code scanning tools like Whitesource

@Tony-KP
Copy link

Tony-KP commented Mar 30, 2023

Also looking for info.... Anyone worked round this?

The nuget package lists no dependencies, and instead it seems that the NewtonSoft.json 9.0.1 dll is packaged with it? I'm not very familiar with how this all works but would assume it should be simply linked as a dependency with a version minimum/range rather than be packaged with it, and that would solve this issue?

Even though I believe referencing NewtonSoft.json 13.0.3 along with BundlerMinifier will mean that version 13.0.3 is ultimately included, tools like Whitesource/Mend still find that 9.0.1 dll that BundlerMinifier brings along with it....

At least that's how I'm understanding it?

@Inscramble
Copy link

I have also waiting for the solution to this issue. ANy update?

@akshaybheda
Copy link

akshaybheda commented Oct 4, 2023
edited
Loading

any updates? Did anyone try to solve this issue?

@akshaybheda
Copy link

@madskristensen Can you merge this PR #588 ? and create a new nuget

@craig2812
Copy link

Any updates on this or any other work that offers a solution to this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gluip @akshaybheda @craig2812 @Tony-KP @GSDevgun @Inscramble