CVE-2022-23535

Name of the Vulnerable Software and Affected Versions LiteDB versions prior to 5.0.13

Description The issue concerns the deserialization of untrusted data in LiteDB, a .NET NoSQL embedded database. When instances of an object are not the same class, BsonMapper uses a special field type string info with full class name with assembly to be loaded and fit into the model. If an end-user can send a plain JSON string to the app, deserialization can load an unsafe object to fit into the model.

Recommendations For versions prior to 5.0.13, consider updating to version 5.0.13 or later, which includes basic fixes to avoid this issue, although it is not 100% guaranteed when using the Object type. As a temporary workaround, avoid allowing users to send JSON strings to be directly inserted or updated into the database. Avoid using classes with the Object type; instead, try using an interface when possible. For apps that send plain JSON strings to be inserted or updated into the database, prefer using a specific type, such as IDictionary<string, string>, which will only accept key/value strings, rather than the Object base type.