Skip to content

Commit 66cafc9

Browse files
1 parent 315f92d commit 66cafc9

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-92vj-hp7m-gwcj",
4+
"modified": "2026-05-29T20:02:59Z",
5+
"published": "2026-05-29T20:02:59Z",
6+
"aliases": [],
7+
"summary": "Nerdbank.MessagePack has Inefficient CPU Computation",
8+
"details": "### Impact\n\nApplications that call `OptionalConverters.WithExpandoObjectConverter` and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a `O(n²)` algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an `ExpandoObject`, whose `Add` method is implemented as an `O(n)` algorithm.\n\n### Patches\n\nUpdate to a patched version.\n\nIf a project's `ExpandoObject` data requires more than 128 properties, the default limit should be changed:\n\n```cs\nthis.Serializer = this.Serializer with\n{\n\tStartingContext = this.Serializer.StartingContext with\n\t{\n\t\tSecurity = this.Serializer.StartingContext.Security with\n\t\t{\n\t\t\tExpandoObjectMaxPropertyCount = 256, // Set this to whatever limit is required by your application\n\t\t},\n\t},\n};\n```\n\n### Workarounds\n\nAvoid the non-default `WithExpandoObjectConverter` extension method when deserializing untrusted data.\nIf deserializing untrusted data into an `ExpandoObject` is required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "NuGet",
19+
"name": "Nerdbank.MessagePack"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "1.2.4"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-92vj-hp7m-gwcj"
40+
},
41+
{
42+
"type": "WEB",
43+
"url": "https://github.com/AArnott/Nerdbank.MessagePack/commit/c5a239e4f20c38548de44c4dd2a782efd5e2547c"
44+
},
45+
{
46+
"type": "PACKAGE",
47+
"url": "https://github.com/AArnott/Nerdbank.MessagePack"
48+
}
49+
],
50+
"database_specific": {
51+
"cwe_ids": [
52+
"CWE-1176"
53+
],
54+
"severity": "MODERATE",
55+
"github_reviewed": true,
56+
"github_reviewed_at": "2026-05-29T20:02:59Z",
57+
"nvd_published_at": null
58+
}
59+
}

0 commit comments

Comments
 (0)