Impact

LiteDB use a special field in JSON documents to cast diferent types from BsonDocument do POCO classes. When instance of an object are not the same of class, BsonMapper use a special field _type string info with full class name with assembly to be loaded and fit in your model.
If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model.

Patches

Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using Object type
Next major version will contains a allow-list to select what king of Assembly can be loaded

Workarounds

• Avoid users send to your app a JSON string to be direct insert/update into database
• Avoid use classes with Object type - try use an interface when possible

If your app send a plain JSON string to be insert/update into database, prefer this:

// Bad
public class Customer {
    public int Id { get; set; }
    public string Name { get; set; }
    public Object AnyData { get; set; } // <= Avoid use `Object` base type
}

// Good
public class Customer {
    public int Id { get; set; }
    public string Name { get; set; }
    public IDictionary<string, string> AnyData { get; set; } // Will accept only key/value strings
}

References

See this workaround fix on this commit:

mbdavid/LiteDB@4382ff4

References

• GHSA-3x49-g6rc-c284
• mbdavid/LiteDB@4382ff4
• mbdavid/LiteDB@d72c677
• https://github.com/mbdavid/LiteDB/releases/tag/v5.0.13
• https://nvd.nist.gov/vuln/detail/CVE-2022-23535