Newtonsoft.Json. Newtonsoft.Json prior to version 13.0.1 is vulnerable to improper handling of StackOverFlow exception (SOE)

[jhenderson2099]

Description

Newtonsoft.Json. Newtonsoft.Json prior to version 13.0.1 is vulnerable to improper handling of StackOverFlow exception (SOE)

Steps to reproduce

Applications that use Newtonsoft.Json might be exposed to DOS vulnerability

as called out by Aleph security

The underlying issue is that improper handling of exceptional conditions in Newtonsoft.Json prior to version 13.0.1 is vulnerable to due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. (Refer to Aleph blog post. This vulnerability affects Internet Information Services (IIS) Applications.

What steps can reproduce the defect?
Refer to Aleph blog post, It takes only one StackOverflowException to bring down an Application deployed on IIS

This has been addressed by JamesNK/Newtonsoft.Json@7e77bbe

Expected behavior

No Stack Overflow. Use of NewtonSoft.Json version 13.0.1 or later

Actual behavior

Earlier versions of NewtonSoft.Json version are currently in use

[Evangelink]

Hi @jhenderson2099! Thanks for reporting this issue. We did fix it in 17.4.0 which isn't yet released but we have pre-release version 17.4.0-preview-20221003-03 that you can use for now.

See PR #3815