Consuming older version of NewtonSoft.Json (9.0.1) vulnerable to a Denial of Service (DoS) attack. Please update it to latest 13.0.1 version available.

[GSDevgun]

Installed product versions

• Visual Studio: 2019

Description

BundlerMinifier consuming older version of NewtonSoft.Json (9.0.1) which is vulnerable to a Denial of Service (DoS) attack. Please update it to latest 13.0.1 version available.

Issue being raised during Sonatpe scanning.

Explanation: The Newtonsoft.Json package is vulnerable to a Denial of Service (DoS) attack. The JsonSerializerSettings.cs file and the constructor in the JsonReader class fails to enforce a sufficient maximum depth when serializing nested JSON objects. Consequently, serializing large numbers of nested JSON objects may cause the application to crash with a StackOverflowException. A remote attacker who can supply JSON data to be serialized by the application can exploit this vulnerability to cause a DoS condition or other unexpected behavior.

Detection: The application is vulnerable by using this component.

Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

[gluip]

Any updates on this? This issue is also popping up when using code scanning tools like Whitesource

[Tony-KP]

Also looking for info.... Anyone worked round this?

The nuget package lists no dependencies, and instead it seems that the NewtonSoft.json 9.0.1 dll is packaged with it? I'm not very familiar with how this all works but would assume it should be simply linked as a dependency with a version minimum/range rather than be packaged with it, and that would solve this issue?

Even though I believe referencing NewtonSoft.json 13.0.3 along with BundlerMinifier will mean that version 13.0.3 is ultimately included, tools like Whitesource/Mend still find that 9.0.1 dll that BundlerMinifier brings along with it....

At least that's how I'm understanding it?

[Inscramble]

I have also waiting for the solution to this issue. ANy update?

[akshaybheda]

any updates? Did anyone try to solve this issue?

[akshaybheda]

@madskristensen Can you merge this PR https://github.com/madskristensen/BundlerMinifier/pull/588 ? and create a new nuget

[craig2812]

Any updates on this or any other work that offers a solution to this issue?