We left Russia. We are against aggression and war with Ukraine. It is a tragedy for our nations, it is a nightmare

Newtonsoft Security Vulnerability (Hangfire.Pro.PerformanceCounters)

I’m using the latest version of Hangfire.Pro.PerformanceCounters as part of my application. However, the referenced version of Newtonsoft.Json.dll is way out of date (version 5.0.1 I think) and is subject to a security vulnerability - specifically WS-2022-0161.

I would happily try and patch this myself but I don’t think that library is open to public support. Is there any way to get this reference updated to 13.0.1 version of Newtonsoft.Json? Or any way I can do it myself?

Every dependency in Hangfire is specified as a minimal supported version, not the recommended one and not the mandatory one. Target version of each dependency should be specified directly in the application, and this is more related to the semantics of dependency management performed by NuGet rather than framework. So the following lines should be added to the target application project instead:

<ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
</ItemGroup>

More details can be found here – System.Text.Encodings.Web 4.4.0 · Issue #2005 · HangfireIO/Hangfire · GitHub.

1 Like

@odinserj Thank you Sergey. I’ve realised my mistake is that although the old library is included in the package, in the actual deploy of the application it’s overridden with the new version of Newtonsoft.Json.dll and the risk I thought was there was completely mitigated. Thanks for your swift response and also your explanation.