Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
.NET JSON.NET Deserialization RCE - Vulnerability Database

.NET JSON.NET Deserialization RCE

Description

This vulnerability occurs when a .NET application uses the JSON.NET (Newtonsoft.Json) library with insecure deserialization settings enabled. Specifically, when TypeNameHandling is set to anything other than 'None', the library allows type information to be embedded in JSON data, enabling attackers to specify arbitrary .NET classes to instantiate during deserialization. This creates a critical security flaw because attackers can craft malicious JSON payloads that instantiate dangerous classes, leading to remote code execution without requiring authentication or user interaction.

Remediation

Immediately remediate this vulnerability by implementing the following measures:<br/><br/><strong>1. Disable TypeNameHandling (Recommended):</strong><br/>Set TypeNameHandling to None in your JsonSerializerSettings. This is the most secure configuration:<br/><pre>var settings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.None }; var obj = JsonConvert.DeserializeObject&lt;MyClass&gt;(jsonString, settings);</pre><br/><strong>2. If TypeNameHandling is Required:</strong><br/>Implement a strict SerializationBinder that explicitly whitelists only the specific types your application needs to deserialize:<br/><pre>public class SafeSerializationBinder : ISerializationBinder { private readonly List&lt;Type&gt; _allowedTypes = new List&lt;Type&gt; { typeof(MyAllowedClass1), typeof(MyAllowedClass2) }; public Type BindToType(string assemblyName, string typeName) { var requestedType = Type.GetType($"{typeName}, {assemblyName}"); if (_allowedTypes.Contains(requestedType)) return requestedType; throw new JsonSerializationException($"Type {typeName} is not allowed"); } public void BindToName(Type serializedType, out string assemblyName, out string typeName) { assemblyName = serializedType.Assembly.FullName; typeName = serializedType.FullName; } } var settings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Auto, SerializationBinder = new SafeSerializationBinder() };</pre><br/><strong>3. Additional Security Measures:</strong><br/>- Never deserialize JSON data from untrusted sources with TypeNameHandling enabled<br/>- Review all uses of JsonConvert.DeserializeObject in your codebase<br/>- Consider using System.Text.Json instead of JSON.NET for new projects, as it does not support polymorphic deserialization by default<br/>- Implement input validation and sanitization on all JSON inputs

References

TypeNameHandling Enumeration
Friday the 13th JSON Attacks
ysoserial.net

Related Vulnerabilities

IBM WebSphere RCE Java Deserialization Vulnerability High
Common tags: Insecure Deserialization Code Execution
Telerik Web UI RadAsyncUpload Deserialization High
Common tags: Insecure Deserialization Code Execution
node-serialize Insecure Deserialization High
Common tags: Insecure Deserialization Code Execution
Apache OFBiz SOAPService Deserialization RCE High
Common tags: Insecure Deserialization Code Execution
Sitecore XP Deserialization RCE (CVE-2021-42237) High
Common tags: Insecure Deserialization Code Execution

Severity

High

Classification

CWE-502
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Insecure Deserialization
Code Execution