Impact
Applications that call OptionalConverters.WithExpandoObjectConverter and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a O(n²) algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an ExpandoObject, whose Add method is implemented as an O(n) algorithm.
Patches
Update to a patched version.
If a project's ExpandoObject data requires more than 128 properties, the default limit should be changed:
this.Serializer = this.Serializer with
{
StartingContext = this.Serializer.StartingContext with
{
Security = this.Serializer.StartingContext.Security with
{
ExpandoObjectMaxPropertyCount = 256, // Set this to whatever limit is required by your application
},
},
};Workarounds
Avoid the non-default WithExpandoObjectConverter extension method when deserializing untrusted data.
If deserializing untrusted data into an ExpandoObject is required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.
References
AArnott Remediation developer
Impact
Applications that call
OptionalConverters.WithExpandoObjectConverterand deserialize untrusted data are open to a vulnerability by which an attacker can exploit aO(n²)algorithm to burn an inordinate amount of CPU effort by adding a great many properties to anExpandoObject, whoseAddmethod is implemented as anO(n)algorithm.Patches
Update to a patched version.
If a project's
ExpandoObjectdata requires more than 128 properties, the default limit should be changed:Workarounds
Avoid the non-default
WithExpandoObjectConverterextension method when deserializing untrusted data.If deserializing untrusted data into an
ExpandoObjectis required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.References