SQL-APIConsumer icon indicating copy to clipboard operation
SQL-APIConsumer copied to clipboard
verified publisher icon geral2

Fix Security Issue: Implement JSON Deserialization Depth Limit (CVE-2024-21907)

Open yuseok-kim-edushare opened this issue 10 months ago • 0 comments

This PR created to Close #64

Summary

This PR addresses a high-severity security vulnerability (CVE-2024-21907/GHSA-5crp-9r3c-p9vr) in Newtonsoft.Json that could lead to Denial of Service attacks through excessively nested JSON payloads.

Changes

  • Added a recommended MaxDepth=128 limit to JsonSerializerSettings to prevent JSON deserialization attacks
  • Added CheckAdditionalContent=true for extra security validation
  • Updated assembly version from 2.3.6.1 to 2.3.6.2 to track this security fix
    • API_Consumer/Consumers/Helper.cs

Security Impact

This change mitigates a Denial of Service vulnerability where maliciously crafted JSON with excessive nesting could cause:

  • High CPU and memory consumption
  • Thread exhaustion
  • Potential StackOverflowException

References

  • GitHub Advisory: https://github.com/advisories/GHSA-5crp-9r3c-p9vr

yuseok-kim-edushare avatar Feb 14 '25 01:02 yuseok-kim-edushare