The vulnerability stems from Json.NET deserialization with TypeNameHandling enabled (Auto/Objects) combined with an insufficient type binder. Key issues:

1. TypeNameHandling allows attackers to specify dangerous types
2. Missing MaxDepth enabled deeply nested payloads
3. The original CompositeSerializationBinder didn't recursively check generic type arguments, allowing bypass of type restrictions
4. All deserialization entry points (Deserialize methods) used these unsafe settings Patch added MaxDepth and recursive type validation, confirming these as the vulnerable points.