Breaking Change: Default MaxDepth Changed from null to 64 in Version 13 Causing Issues

[rigersramushi]

Summary
After upgrading from Newtonsoft.Json v12 to v13, we encountered breaking changes due to the default value of MaxDepth being changed from null to 64. This is causing deserialization failures in our application where deeply nested objects exist.

Steps to Reproduce

1. In Newtonsoft.Json v12, the MaxDepth setting was null by default, allowing unrestricted depth.
2. In Newtonsoft.Json v13, the default MaxDepth is now 64, leading to JsonReaderException for deep object graphs.
3. Manually setting MaxDepth = null in JsonSerializerSettings resolves the issue.

Questions & Concerns

1. Why was the decision made to change the default MaxDepth from null to 64?

• Understanding the reasoning behind this change will help us assess its impact and the intended behavior moving forward.

2. Is it safe to explicitly set MaxDepth = null in JsonSerializerSettings?

• While this fixes our issue, we want to ensure this is a recommended approach and won’t lead to unexpected problems in the current or future versions.

Expected Behavior

• Either restore MaxDepth = null as the default or provide official guidance on safely handling deep object deserialization without unexpected failures.

Would appreciate any insights or recommendations regarding this change. Thank you!

[304NotModified]

Why was the decision made to change the default MaxDepth from null to 64?

In short, security/DOS. See https://alephsecurity.com/vulns/aleph-2018004, #2535 and #2473

Is it safe to explicitly set MaxDepth = null in JsonSerializerSettings?

That depends how the DOS possibility could effect you. Recommend to do threat modelling for this