CVE-2024-21907

Name of the Vulnerable Software and Affected Versions Newtonsoft.Json versions prior to 13.0.1

Description The issue is related to a mishandling of exceptional conditions vulnerability in the Newtonsoft.Json library. Crafted data passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception, resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition. The vulnerability can be exploited by passing highly nested JSON data, which can cause high CPU and RAM usage or a StackOverflow exception.

Recommendations To mitigate the issue, update Newtonsoft.Json to version 13.0.1 or set the MaxDepth parameter in the JsonSerializerSettings to a suitable value, such as 128, to prevent excessive nesting. This can be done globally with the following statement: JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };