dotnet · NCalc.CoreHeads-up
NCalc.Core Denial-of-Service Vulnerability Fixed in Factorial Operator
A denial-of-service vulnerability in the factorial operator of NCalc was fixed by adding bounds validation for factorial operands and rejecting unsupported valu
What changed
A denial-of-service vulnerability in the factorial operator of NCalc was fixed by adding bounds validation for factorial operands and rejecting unsupported values before evaluation.
Who it affects
Applications that evaluate untrusted expressions using affected versions of NCalc (before v6.1.1).
What to do today
Upgrade to NCalc v6.1.1 or later. If upgrading is not possible, do not evaluate untrusted expressions, validate expressions to reject large factorial operands, and implement execution time limits.
The trail
Collected→
Audited→
Written→
Published