BlackDuck scan flagged the latest version 13.0.1. Need a new release.

[hdittakavi]

We're using BlackDuck to scan our projects and recently Newtonsoft.Json 13.0.1 was flagged as a medium security risk (BDSA-2018-5195) because of the following issue:

Newtonsoft.Json is vulnerable to denial-of-service (DoS) due to a stack overflow that can occur whenever nested objects are being processed. A remote attacker could cause a vulnerable application to crash by causing it to process a maliciously crafted JSON object.

The BDSA record points to this article which was created around 2018: https://alephsecurity.com/vulns/aleph-2018004
I've been searching for more information about this issue but can't find anything useful.

Black Duck also points to a solution as fixed with this comment. Can there be a new release to include this fix? Thanks!
f7e7bd0

[JamesNK]

This problem is fixed in 13.0.1 - https://github.com/JamesNK/Newtonsoft.Json/releases/tag/13.0.1

Specifically, this commit - b6dc05b

Could you please get BlackDuck to update their record and say that this has been resolved in 13.0.1.

[304NotModified]

FYI, NuGet version 13.0.1 is Assembly file Version 13.0.1.25517. This version is for some needed because (security) tools will report assembly versions and not NuGet package versions.

See:

[sawilde]

Was this vuln. advertised as I didn't see any update via the github dependabot?

Ignore, as I actually think this issue was from before all the security stuff in github was added

[304NotModified]

Well on nuget.org it isn't marked as vulnerable (yet?)

https://www.nuget.org/packages/Newtonsoft.Json

compared to a package that has vulnerablities: