Highmbdavid

**Name of the Vulnerable Software and Affected Versions** LiteDB versions prior to 5.0.13 **Description** The issue concerns the deserialization of untrusted data in LiteDB, a .NET NoSQL embedded database. When instances of an object are not the same class, `BsonMapper` uses a special field ` type` string info with full class name with assembly to be loaded and fit into the model. If an end-user can send a plain JSON string to the app, deserialization can load an unsafe object to fit into the model. **Recommendations** For versions prior to 5.0.13, consider updating to version 5.0.13 or later, which includes basic fixes to avoid this issue, although it is not 100% guaranteed when using the `Object` type. As a temporary workaround, avoid allowing users to send JSON strings to be directly inserted or updated into the database. Avoid using classes with the `Object` type; instead, try using an interface when possible. For apps that send plain JSON strings to be inserted or updated into the database, prefer using a specific type, such as `IDictionary<string, string>`, which will only accept key/value strings, rather than the `Object` base type.