Magnus Rahl
Jul 1, 2022
  5773
(1 votes)

Addressing vulnerability in Newtonsoft.Json

We have received questions about the recently disclosed vulnerability in Newtonsoft.Json prior to version 13.0.1. Having the dependency doesn't mean you're automatically vulnerable, but since several of our packages depend on Newtonsoft.Json, DXP solutions (including custom code) are theoretically vulnerable. 

The vulnerability was disclosed after 5 PM June 22, and came to our knowledge the next day, June 23. We started investigating immediately and had verified remediation steps early June 24, in the hands of our support teams to respond to customers/partners reaching out about this.

Publishing this information more broadly now is of course a tradeoff between reaching more of our customers and partners, and drawing attention to the vulnerability. However, because Newtonsoft.Json is the #1 used .NET library, it is well known that we are a .NET solution, and the dependency can be seen in public information on Nuget, we decided to go ahead and publish this information together with the remediation.

Remediation

Newer versions like CMS 12, Commerce 14 and Find 14 are not vulnerable since they require Newtonsoft.Json 13.0.1. 

On slightly older solutions, you can simply update Newtonsoft.Json in your solution to version 13.0.1 or later, for example using Nuget Package Manager.

On yet older versions (earlier verisons of CMS 11, Commerce 13, Find 13) you may run into a version restriction. You can override this version restriction by updating the package using the Package Manager Console and supplying the -IgnoreDepencencies flag:

Update-Package Newtonsoft.Json -Version 13.0.1 -IgnoreDependencies

Or simply edit the packages.config file to set the version of Newtonsoft.Json to 13.0.1.

We have gone back quite a few versions and verified that forcing the version restriction does not have any negative side-effects. We have done this as far back as EPiServer.Commerce 13.14.0, EPiServer.CMS 11.14.0 (EPiServer.CMS.UI 11.23.1), EPiServer.Find 13.2.6, EPiServer.Find.Commerce 11.2.0 and EPiServer.ContentDeliveryApi 2.21.0.

If you have any questions, please reach out to support.

Jul 01, 2022

Comments

Please login to comment.
Latest blogs
Optimizely Commerce Connect: Enabling content-driven ecommerce experiences

The world of ecommerce today is a rapidly evolving field. No longer are customers satisfied with a long list of products that they have no idea how...

Shahrukh Ikhtear | Jun 16, 2025

Create a multi-site aware custom search provider using Search & Navigation

In a multisite setup using Optimizely CMS, searching for pages can be confusing. The default CMS search regardless of search provider does not...

dada | Jun 12, 2025

Tunning Application Insights telemetry filtering in Optimizely

Application Insights is a cloud-based service designed to monitor web applications, providing insights into performance, errors, and user behavior,...

Stanisław Szołkowski | Jun 12, 2025 |

JavaScript SDK v6: Lightest, Most Efficient SDK Yet

Need a faster site and less frontend bloat? JavaScript SDK v6 is here —and it’s the lightest, smartest SDK we’ve ever released for Optimizely Featu...

Sarah Ager | Jun 11, 2025

Boosting Indexing Efficiency: Reindex Pages Directly from Optimizely’s Navigation Pane

There can be various reasons why you might want to trigger indexing or reindexing of a page/node directly from the navigation pane. In my case, we...

Praful Jangid | Jun 11, 2025

How to Get Started with Google Gemini and Imagen in Optimizely CMS

Bringing AI into your editorial workflow has never been easier. With Epicweb’s AI Assistant now supporting Google Gemini and Imagen, editors workin...

Luc Gosso (MVP) | Jun 9, 2025 |