Nerdbank.MessagePack has Inefficient CPU Computation

Impact

Applications that call OptionalConverters.WithExpandoObjectConverter and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a O(n²) algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an ExpandoObject, whose Add method is implemented as an O(n) algorithm.

Patches

Update to a patched version.

If a project's ExpandoObject data requires more than 128 properties, the default limit should be changed:

this.Serializer = this.Serializer with
{
	StartingContext = this.Serializer.StartingContext with
	{
		Security = this.Serializer.StartingContext.Security with
		{
			ExpandoObjectMaxPropertyCount = 256, // Set this to whatever limit is required by your application
		},
	},
};

Workarounds

Avoid the non-default WithExpandoObjectConverter extension method when deserializing untrusted data. If deserializing untrusted data into an ExpandoObject is required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.