dotnet · MessagePackHeads-up
MessagePack: Quadratic CPU and Allocation in ExpandoObjectFormatter.Deserialize
ExpandoObjectFormatter.Deserialize has quadratic CPU and allocation behavior when deserializing large attacker-controlled maps into ExpandoObject, due to Expand
What changed
ExpandoObjectFormatter.Deserialize has quadratic CPU and allocation behavior when deserializing large attacker-controlled maps into ExpandoObject, due to ExpandoObject's internal insertion model.
Who it affects
Applications that deserialize untrusted MessagePack maps into ExpandoObject using ExpandoObjectResolver or related resolver options.
What to do today
Upgrade MessagePack to the patched version once released; until then, avoid deserializing untrusted payloads into ExpandoObject and enforce request-size and map-entry limits.
The trail
Collected→
Audited→
Written→
Published