Released DotVVM 2.3.3 with an important bug fix
We have just released DotVVM 2.3.3 which fixes a significant bug in DotVVM error page.
Symptoms
The bug happened only:
- when the application was using Newtonsoft.Json 11.0.2 or higher
- in the debug mode where the error page is enabled
- when there is a syntax error in a DotVVM page
The issue is caused by serialization of an exception thrown by DotVVM (we were using the information in the error page) and can cause StackOverflowException or infinite loop in the worker thread of the application.
All the behavior mentioned above can occur only in case of a syntax error in a DotVVM page, however there might be some users who deployed a debug version of an application which includes some page with syntax errors, and since the bug can cause an infinite loop, it may be a simple way for a DOS attack.
Our tests didn’t catch this issue as we were using older version of Newtonsoft.Json where everything worked normally.
Resolution
We strongly recommend everyone to update to DotVVM 2.3.3 as soon as possible and to make sure that you are not deploying the debug version with error page turned on.
The new version can also greatly improve the dev experience as some errors might not been displayed correctly in the error page in some cases.
BIO:
I am the CEO of RIGANTI, small software development company located in Prague, Czech Republic.
I am a Microsoft Regional Director and Microsoft Most Valuable Professional.
I am the author of DotVVM, an open source .NET-based web framework which lets you build Line-of-Business applications easily and without writing thousands lines of Javascript code.