Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ALEPH-2018004 - DOS vulnerability #2457

Closed
thomasvdb opened this issue Jan 19, 2021 · 3 comments · Fixed by #2462
Closed

ALEPH-2018004 - DOS vulnerability #2457

thomasvdb opened this issue Jan 19, 2021 · 3 comments · Fixed by #2462

Comments

@thomasvdb
Copy link

We're using BlackDuck to scan our projects and recently Newtonsoft.Json was flagged as a medium security risk (BDSA-2018-5195) because of the following issue:

Newtonsoft.Json is vulnerable to denial-of-service (DoS) due to a stack overflow that can occur whenever nested objects are being processed. A remote attacker could cause a vulnerable application to crash by causing it to process a maliciously crafted JSON object.

The BDSA record points to this article which was created around 2018: https://alephsecurity.com/vulns/aleph-2018004
I've been searching for more information about this issue but can't find anything useful.

Do you have any more information about this?
The article states that the issue has been communicated. Has this been fixed or what's your opinion about this?
@Silurus
Copy link

Silurus commented Jan 21, 2021

@thomasvdb I was fighting with the same problem and probably found a way how to mitigate it by setting the MaxDepth serializer setting to 64 (or any other value you expect for your nesting object level)
https://www.newtonsoft.com/json/help/html/MaxDepth.htm

Instead of a stack overflow, you will get a JsonReaderException thrown by the Newtonsoft library.

DoS solution

@JamesNK
Copy link
Owner

JamesNK commented Jan 21, 2021

Yes, MaxDepth setting is designed for this situation.

@Silurus
Copy link

Silurus commented Jan 22, 2021

@JamesNK maybe it is worth to set the default MaxDepth value for the json library? Do you have such plans?
I'm just worrying about other people who don't know about this vulnerability and they still might use the library to deserialize some generalized types like "object"

@JamesNK JamesNK mentioned this issue Jan 31, 2021
Merged
@nspruit nspruit mentioned this issue Apr 29, 2021
Merged
@nul800sebastiaan nul800sebastiaan mentioned this issue Apr 26, 2022
Closed
jefflill added a commit to nforgeio/neonKUBE that referenced this issue Jun 22, 2022
@jefflill
Mitigate Newtonsoft DOS attacks:
2fa1fb2 
JamesNK/Newtonsoft.Json#2457
@ericoporto ericoporto mentioned this issue Jun 23, 2022
Closed
@ankitC ankitC mentioned this issue Jul 12, 2022
Closed
@pvanbuijtene pvanbuijtene mentioned this issue Aug 3, 2022
Merged
@ytang1-godaddy ytang1-godaddy mentioned this issue Feb 6, 2023
Open
@vitorrubio vitorrubio mentioned this issue Feb 23, 2023
Closed
@elgonzo elgonzo mentioned this issue Jun 25, 2023
Open
@Yannike Yannike mentioned this issue Jul 17, 2023
Open
@margohpolo margohpolo mentioned this issue Jan 23, 2024
Merged
@apeter48 apeter48 mentioned this issue Jun 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Change JsonReader and JsonSerializer default max depth to 128 JamesNK/Newtonsoft.Json
3 participants
@JamesNK @thomasvdb @Silurus