Fix: Newtonsoft.Json prior to version 13.0.1 is vulnerable

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS).
axuno · Jun 28, 2022 · 3306a41 · 3306a41
1 parent d64c240
commit 3306a41
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/appveyor.yml b/appveyor.yml
@@ -1,4 +1,4 @@
-version: 2.7.2.{build}
+version: 2.7.3.{build}
 environment:
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
 image: Visual Studio 2019
@@ -8,7 +8,7 @@ build_script:
 - ps: dotnet add .\SmartFormat.Tests\SmartFormat.Tests.csproj package AltCover
 - ps: dotnet build SmartFormat.sln /verbosity:minimal /t:rebuild /p:configuration=release /nowarn:CS1591,CS0618
 - ps: |
-    $version = "2.7.2"
+    $version = "2.7.3"
     $versionFile = $version + "." + ${env:APPVEYOR_BUILD_NUMBER}
 
     if ($env:APPVEYOR_PULL_REQUEST_NUMBER) {
@@ -29,4 +29,4 @@ deploy:
   api_key:
     secure: siTK+zMCX6XYTT2G7uhX9XjB6LNhDtZheum/MKIfrnsBITjZ+yEGAPNKVL/LCEPB
     on:
-      branch: main
+      branch: version/2.7.3
diff --git a/src/SmartFormat/SmartFormat.csproj b/src/SmartFormat/SmartFormat.csproj
@@ -3,8 +3,8 @@
     <PropertyGroup>
         <Description>A string composition library written in C# that can format data into a string with a minimal, intuitive syntax. It uses extensions to provide named placeholders, pluralization, gender conjugation, and time and list formatting.</Description>
         <AssemblyTitle>SmartFormat</AssemblyTitle>
-        <Version>2.7.2</Version>
-        <FileVersion>2.7.2</FileVersion>
+        <Version>2.7.3</Version>
+        <FileVersion>2.7.3</FileVersion>
         <TargetFrameworks>netstandard2.0;net461</TargetFrameworks>
         <DefineConstants>TRACE;DEBUG</DefineConstants>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
@@ -53,9 +53,9 @@ https://github.com/axuno/SmartFormat/blob/master/CHANGES.md</PackageReleaseNotes
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Newtonsoft.Json" Version="12.0.3" />
+        <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
         <PackageReference Include="System.ValueTuple" Version="4.5.0" />
-        <PackageReference Include="System.Text.Json" Version="4.7.2" />
+        <PackageReference Include="System.Text.Json" Version="6.0.5" />
     </ItemGroup>
 
 </Project>