litedb is vulnerable to Deserialization Of Untrusted Objects. The vulnerability is caused by differing types in JSON documents, when a JSON document contains BsonDocument
types, the library converts them to POCO. If an attacker can send a plain JSON string, they can inject and execute arbitrary code through the BsonMapper
_type
field.