GHSA-92vj-hp7m-gwcj

### Impact

Applications that call `OptionalConverters.WithExpandoObjectConverter` and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a `O(n²)` algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an `ExpandoObject`, whose `Add` method is implemented as an `O(n)` algorithm.

### Patches

Update to a patched version.

If a project's `ExpandoObject` data requires more than 128 properties, the default limit should be changed:

```cs this.Serializer = this.Serializer with { StartingContext = this.Serializer.StartingContext with { Security = this.Serializer.StartingContext.Security with { ExpandoObjectMaxPropertyCount = 256, // Set this to whatever limit is required by your application }, }, }; ```

### Workarounds

Avoid the non-default `WithExpandoObjectConverter` extension method when deserializing untrusted data. If deserializing untrusted data into an `ExpandoObject` is required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.