GHSA-92vj-hp7m-gwcj
Nerdbank.MessagePack has Inefficient CPU Computation
Details
### Impact
Applications that call `OptionalConverters.WithExpandoObjectConverter` and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a `O(n²)` algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an `ExpandoObject`, whose `Add` method is implemented as an `O(n)` algorithm.
### Patches
Update to a patched version.
If a project's `ExpandoObject` data requires more than 128 properties, the default limit should be changed:
```cs this.Serializer = this.Serializer with { StartingContext = this.Serializer.StartingContext with { Security = this.Serializer.StartingContext.Security with { ExpandoObjectMaxPropertyCount = 256, // Set this to whatever limit is required by your application }, }, }; ```
### Workarounds
Avoid the non-default `WithExpandoObjectConverter` extension method when deserializing untrusted data. If deserializing untrusted data into an `ExpandoObject` is required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.2.4 dotnet add package Nerdbank.MessagePack --version 1.2.4