SharpSite Plugin System Exposed to Critical RCE via Insecure JSON Deserialization

A P0 security vulnerability has been identified in SharpSite's plugin and configuration system, exposing at least four code locations to Remote Code Execution (RCE) through insecure deserialization. The flaw centers on Newtonsoft.Json's `TypeNameHandling.Auto` setting, a well-documented attack vector that allows adversaries to instantiate arbitrary .NET types during JSON payload processing. The discovery halts the production readiness of SharpSite's plugin architecture pending remediation.

The vulnerable code spans two critical files. In `src/SharpSite.Web/ApplicationState.cs` at lines 130–134 and 212–216, the deserialization occurs during application state management tied to plugin loading. Similarly, `src/SharpSite.Web/SharpsiteConfigurationExtensions.cs` (lines 13–17, 19–25) contains the same pattern within configuration extension handling. Both locations process untrusted or attacker-controlled input without type restriction, enabling known deserialization gadget chains to execute arbitrary commands on the host system.

The attack requires an adversary capable of writing to SharpSite's plugins directory—a precondition that lowers the barrier for exploitation in shared-hosting environments or misconfigured deployments. Security researchers classify this vulnerability class among the most dangerous in modern web application security. The recommended remediation involves migrating to `System.Text.Json` with polymorphic serialization or implementing a strict `ISerializationBinder` type whitelist to constrain which types the deserializer may instantiate. The estimated fix effort is two to four hours, though organizations should prioritize immediate mitigation given the critical severity and active knowledge of exploitation techniques in the wild.