Describe the bug
OpenApiDocument.Load throws NullReferenceException from Microsoft.OpenApi.OpenApiWorkspace.RegisterComponents when an OpenAPI 3.1 document contains a components/schemas entry whose value is a JSON boolean - e.g. "X": true.
The input is spec-valid. OpenAPI 3.1 §4.8.24 defines its Schema Object as "a superset of the JSON Schema Specification Draft 2020-12", and JSON Schema 2020-12 §4.3.2 "Boolean JSON Schemas" permits a schema to be the literal true (always validates) or false (never validates). The parser should either materialize a proper schema value for these entries or surface a structured diagnostic - not throw NullReferenceException.
Affected:
Microsoft.OpenApi 3.5.2 (latest release)main at 78e17ca (2026-04-23) - still reproduces
OpenApi File To Reproduce
55-byte JSON file:
{"openapi":"3.1.0","components":{"schemas":{"X":true}}}info is a required field per the OpenAPI spec, but the deserializer still reaches RegisterComponents without it, so it can be omitted from the minimal repro. Adding "info":{"title":"x","version":"1"} does not change the behavior.
Expected behavior
The parser should not throw NullReferenceException on a spec-valid OpenAPI 3.1 document. Either accepting the boolean schema or surfacing a structured diagnostic would be fine - how boolean schemas are represented in the object model is a design decision for the maintainers.
Screenshots/Code Snippets
Repro:
using Microsoft.OpenApi;
using Microsoft.OpenApi.Reader;
var bytes = "{\"openapi\":\"3.1.0\",\"components\":{\"schemas\":{\"X\":true}}}"u8.ToArray();
using var ms = new MemoryStream(bytes);
OpenApiDocument.Load(ms, format: null, new OpenApiReaderSettings());
// -> System.NullReferenceException at OpenApiWorkspace.RegisterComponentsStack trace:
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.OpenApi.OpenApiWorkspace.RegisterComponents(OpenApiDocument document)
in src/Microsoft.OpenApi/Services/OpenApiWorkspace.cs:line 96
at Microsoft.OpenApi.Reader.V31.OpenApiV31Deserializer.LoadOpenApi(RootNode, Uri)
in src/Microsoft.OpenApi/Reader/V31/OpenApiDocumentDeserializer.cs:line 61
at Microsoft.OpenApi.Reader.V31.OpenApiV31VersionService.LoadDocument(RootNode, Uri)
in src/Microsoft.OpenApi/Reader/V31/OpenApiV31VersionService.cs:line 59
at Microsoft.OpenApi.Reader.ParsingContext.Parse(JsonNode, Uri)
at Microsoft.OpenApi.Reader.OpenApiJsonReader.Read(JsonNode, Uri, OpenApiReaderSettings)
at Microsoft.OpenApi.Reader.OpenApiJsonReader.Read(MemoryStream, Uri, OpenApiReaderSettings)
at Microsoft.OpenApi.Reader.OpenApiModelFactory.InternalLoad(MemoryStream, string, OpenApiReaderSettings)
at Microsoft.OpenApi.Reader.OpenApiModelFactory.Load(MemoryStream, string, OpenApiReaderSettings)
at Microsoft.OpenApi.OpenApiDocument.Load(MemoryStream, string, OpenApiReaderSettings)
When the schema deserializer encounters a bare boolean in place of a schema object, the resulting Components.Schemas dictionary contains an entry with a null value. The document?.Components == null guard at the top of RegisterComponents does not catch this; the per-entry dereference then throws.
The same loop shape exists for every other component map in this method - Parameters, Responses, RequestBodies, Links, Callbacks, Examples, Headers, SecuritySchemes, PathItems - and may be worth a consistency audit for the same null-value pattern.
Additional context
- Runtime: .NET 10.0 SDK; purely managed code, reproduces on all platforms.
- Discovery: coverage-guided fuzzing with AFL++ 4.00c + SharpFuzz 2.2.0 against
Microsoft.OpenApi 3.5.2. The 55-byte repro above is minimized from a larger AFL-produced crash input.
Describe the bug
OpenApiDocument.LoadthrowsNullReferenceExceptionfromMicrosoft.OpenApi.OpenApiWorkspace.RegisterComponentswhen an OpenAPI 3.1 document contains acomponents/schemasentry whose value is a JSON boolean - e.g."X": true.The input is spec-valid. OpenAPI 3.1 §4.8.24 defines its Schema Object as "a superset of the JSON Schema Specification Draft 2020-12", and JSON Schema 2020-12 §4.3.2 "Boolean JSON Schemas" permits a schema to be the literal
true(always validates) orfalse(never validates). The parser should either materialize a proper schema value for these entries or surface a structured diagnostic - not throwNullReferenceException.Affected:
Microsoft.OpenApi3.5.2 (latest release)mainat78e17ca(2026-04-23) - still reproducesOpenApi File To Reproduce
55-byte JSON file:
{"openapi":"3.1.0","components":{"schemas":{"X":true}}}infois a required field per the OpenAPI spec, but the deserializer still reachesRegisterComponentswithout it, so it can be omitted from the minimal repro. Adding"info":{"title":"x","version":"1"}does not change the behavior.Expected behavior
The parser should not throw
NullReferenceExceptionon a spec-valid OpenAPI 3.1 document. Either accepting the boolean schema or surfacing a structured diagnostic would be fine - how boolean schemas are represented in the object model is a design decision for the maintainers.Screenshots/Code Snippets
Repro:
Stack trace:
When the schema deserializer encounters a bare boolean in place of a schema object, the resulting
Components.Schemasdictionary contains an entry with anullvalue. Thedocument?.Components == nullguard at the top ofRegisterComponentsdoes not catch this; the per-entry dereference then throws.The same loop shape exists for every other component map in this method - Parameters, Responses, RequestBodies, Links, Callbacks, Examples, Headers, SecuritySchemes, PathItems - and may be worth a consistency audit for the same null-value pattern.
Additional context
Microsoft.OpenApi3.5.2. The 55-byte repro above is minimized from a larger AFL-produced crash input.