BundlerMinifier icon indicating copy to clipboard operation
BundlerMinifier copied to clipboard

Published 20 hours ago verified publisher icon madskristensen

Consuming older version of NewtonSoft.Json (9.0.1) vulnerable to a Denial of Service (DoS) attack. Please update it to latest 13.0.1 version available.

Open GSDevgun opened this issue 3 years ago • 6 comments

Installed product versions

  • Visual Studio: 2019

Description

BundlerMinifier consuming older version of NewtonSoft.Json (9.0.1) which is vulnerable to a Denial of Service (DoS) attack. Please update it to latest 13.0.1 version available.

Issue being raised during Sonatpe scanning.

Explanation: The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.

Detection: The application is vulnerable by using this component.

Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

GSDevgun avatar Jan 05 '22 12:01 GSDevgun

Any updates on this? This issue is also popping up when using code scanning tools like Whitesource

gluip avatar Oct 03 '22 09:10 gluip

Also looking for info.... Anyone worked round this?

The nuget package lists no dependencies, and instead it seems that the NewtonSoft.json 9.0.1 dll is packaged with it? I'm not very familiar with how this all works but would assume it should be simply linked as a dependency with a version minimum/range rather than be packaged with it, and that would solve this issue?

Even though I believe referencing NewtonSoft.json 13.0.3 along with BundlerMinifier will mean that version 13.0.3 is ultimately included, tools like Whitesource/Mend still find that 9.0.1 dll that BundlerMinifier brings along with it....

At least that's how I'm understanding it?

Tony-KP avatar Mar 30 '23 19:03 Tony-KP

I have also waiting for the solution to this issue. ANy update?

Inscramble avatar May 30 '23 06:05 Inscramble

any updates? Did anyone try to solve this issue?

akshaybheda avatar Oct 04 '23 00:10 akshaybheda

@madskristensen Can you merge this PR https://github.com/madskristensen/BundlerMinifier/pull/588 ? and create a new nuget

akshaybheda avatar Oct 04 '23 01:10 akshaybheda

Any updates on this or any other work that offers a solution to this issue?

craig2812 avatar Apr 15 '24 08:04 craig2812