CVE-2022-23535: LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserializ
Summary
LiteDB, a lightweight database library for .NET, has a vulnerability in versions before 5.0.13 where it can deserialize (convert data from a format like JSON back into usable objects) untrusted data. If an attacker sends specially crafted JSON to an application using LiteDB, the library may load unsafe objects by using a special `_type` field that tells it what class to create, potentially allowing malicious code execution.
Solution / Mitigation
Update LiteDB to version 5.0.13 or later. The source notes this version includes basic fixes to prevent the issue, though it is not completely guaranteed when using `Object` type. A future major version will add an allow-list to control which assemblies (code libraries) can be loaded. For immediate protection, consult the vendor advisory for additional workarounds.
Vulnerability Details
7.3(high)
EPSS: 1.2%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-23535
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 75%