+ "details": "### Impact\n\nApplications that call `OptionalConverters.WithExpandoObjectConverter` and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a `O(n²)` algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an `ExpandoObject`, whose `Add` method is implemented as an `O(n)` algorithm.\n\n### Patches\n\nUpdate to a patched version.\n\nIf a project's `ExpandoObject` data requires more than 128 properties, the default limit should be changed:\n\n```cs\nthis.Serializer = this.Serializer with\n{\n\tStartingContext = this.Serializer.StartingContext with\n\t{\n\t\tSecurity = this.Serializer.StartingContext.Security with\n\t\t{\n\t\t\tExpandoObjectMaxPropertyCount = 256, // Set this to whatever limit is required by your application\n\t\t},\n\t},\n};\n```\n\n### Workarounds\n\nAvoid the non-default `WithExpandoObjectConverter` extension method when deserializing untrusted data.\nIf deserializing untrusted data into an `ExpandoObject` is required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.",
0 commit comments