I recently discovered that the Newtonsoft library in .NET had a vulnerability where you could cause an application to terminate with stackoverflow by potentially passing a really (really) nested JSON object to it.

Kudos to the team at HCL https://alephsecurity.com/vulns/aleph-2018004 for discovering it.

The thing is actually I am writing this in 2022, Newtonsoft patched it by applying a default max depth (max nested) of 64 in September 2021 but the bug was actually disclosed in 2018.

Newtonsoft.json is used by millions of .NET and it just amazed me it took so long to patch this officially. Anyways that’s a small blog post on my amazement. If you have not upgraded yet then do it and if you don’t want to upgrade, add a max depth check if your code.