ALEPH-2018004 - DOS vulnerability

[thomasvdb]

We're using BlackDuck to scan our projects and recently Newtonsoft.Json was flagged as a medium security risk (BDSA-2018-5195) because of the following issue:

Newtonsoft.Json is vulnerable to denial-of-service (DoS) due to a stack overflow that can occur whenever nested objects are being processed. A remote attacker could cause a vulnerable application to crash by causing it to process a maliciously crafted JSON object.

The BDSA record points to this article which was created around 2018: https://alephsecurity.com/vulns/aleph-2018004
I've been searching for more information about this issue but can't find anything useful.

Do you have any more information about this?
The article states that the issue has been communicated. Has this been fixed or what's your opinion about this?

[Silurus]

@thomasvdb I was fighting with the same problem and probably found a way how to mitigate it by setting the MaxDepth serializer setting to 64 (or any other value you expect for your nesting object level)
https://www.newtonsoft.com/json/help/html/MaxDepth.htm

Instead of a stack overflow, you will get a JsonReaderException thrown by the Newtonsoft library.

[JamesNK]

Yes, MaxDepth setting is designed for this situation.

[Silurus]

@JamesNK maybe it is worth to set the default MaxDepth value for the json library? Do you have such plans?
I'm just worrying about other people who don't know about this vulnerability and they still might use the library to deserialize some generalized types like "object"