Nerdbank.MessagePack: Denial of Service via ExpandoObject Converter

A security advisory was published for Nerdbank.MessagePack regarding a denial of service vulnerability in OptionalConverters.WithExpandoObjectConverter. The ExpandoObject.Add method has O(n) complexity, leading to O(n²) CPU usage when many properties are added. A default limit of 128 properties has been introduced; exceeding this requires explicit configuration.

Applications that call OptionalConverters.WithExpandoObjectConverter and deserialize untrusted data into ExpandoObject.

Update to a patched version of Nerdbank.MessagePack. If your application requires more than 128 properties, configure ExpandoObjectMaxPropertyCount to a suitable limit. Alternatively, avoid using WithExpandoObjectConverter when deserializing untrusted data, or write a custom converter with property count limits.