System.Linq.Dynamic.Core
System.Linq.Dynamic.Core enables .NET applications to build LINQ queries from strings at runtime, supporting dynamic filtering, sorting, and projection. It ports Microsoft's dynamic language functionality to .NET Standard and .NET Core, with strict security controls introduced in recent versions.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | zzzprojects/System.Linq.Dynamic.Core |
| Owner | zzzprojects |
| Primary language | C# |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.7k |
| Forks | 245 |
| Open issues | 60 |
| Latest release | v1.7.2 (2026-04-04) |
| Last updated | 2026-06-30 |
| Source | https://github.com/zzzprojects/System.Linq.Dynamic.Core |
What System.Linq.Dynamic.Core is
A string-based dynamic LINQ parser targeting .NET Standard 1.3+ and .NET Core 3.1–9.0, enabling runtime query construction via IQueryable. Recent versions (v1.6.0+) restrict method invocation on object types and limit OrderBy to properties/fields unless explicitly configured, addressing CVE-2024-51417.
Get the System.Linq.Dynamic.Core source
Clone the repository and explore it locally.
git clone https://github.com/zzzprojects/System.Linq.Dynamic.Core.gitcd System.Linq.Dynamic.Core# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Configure ParsingConfig strictly: disable AllowEqualsAndToStringMethodsOnObject, enable RestrictOrderByToPropertyOrField, and maintain a CustomTypeProvider whitelist. Failure to do so reintroduces CVE-2024-51417 risks.
- Annotate custom types with [DynamicLinqType] attribute or extend DefaultDynamicLinqCustomTypeProvider to explicitly allow method invocation. Default config (v1.6.0+) only permits standard types.
- Validate and escape all user-supplied query strings before parsing. Use parameter substitution (@0, @1) rather than string interpolation to reduce injection surface.
- Test OrderBy and method-call restrictions in your ParsingConfig before deploying; breaking changes in v1.3.0 and v1.6.0 may require migration of existing queries.
- Monitor CI/SonarCloud quality metrics; project has 60 open issues as of last push (2026-06-30). Review issue tracker for regression or security patches before upgrading.
When to avoid it — and what to weigh
- Untrusted User Input Without Validation — If query strings come directly from end users without sanitization, injection and method-invocation risks persist despite v1.6.0 mitigations. Requires strict allowlisting and ParsingConfig hardening.
- High-Performance, Latency-Sensitive Queries — String parsing and expression tree compilation add runtime overhead compared to compiled LINQ. Not suitable for sub-millisecond query paths or high-throughput batch operations.
- Complex Type Safety Enforcement — Runtime parsing loses compile-time type guarantees. Errors surface at query execution, not build-time. Teams requiring strong static analysis should prefer hand-written LINQ or query builders with type checking.
- Minimal Framework Footprint — The library introduces reflection, expression tree compilation, and method validation overhead. Not suitable for embedded systems, IoT, or size-constrained deployments.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license. Permits commercial use, modification, and redistribution provided original copyright notice and license text are retained.
Apache-2.0 explicitly permits commercial use without royalty or commercial restriction. Reproduction and modification of the source code are permitted. No additional licensing required for closed-source commercial applications, though attribution is required. Consult legal counsel if you heavily modify and redistribute the library.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
String-based query parsing introduces reflection and method-invocation risks. CVE-2024-51417 prompted v1.6.0 restrictions on object methods and OrderBy expressions. Mitigations include ParsingConfig hardening, [DynamicLinqType] attributes, and CustomTypeProvider whitelisting. No input sanitization is built-in; developers must validate user-supplied query strings. Recommended: use parameter substitution, avoid dynamic string concatenation, audit custom type whitelists, and keep dependencies updated.
Alternatives to consider
LinqKit / PredicateBuilder
Provides programmatic (not string-based) dynamic query construction via expression trees. Type-safe, compiled, and integrates naturally with LINQ; suitable if queries can be generated in C# rather than loaded from external configuration.
OData Query Language
Standardized query syntax and protocol for REST APIs. If you expose query capabilities externally, OData providers (e.g., OData v4 in Entity Framework) offer better tooling, spec compliance, and community support than proprietary string formats.
Specification Pattern / Query Objects
Type-safe, composable, and testable approach to building LINQ queries from domain logic. Avoids runtime parsing overhead and string injection risks; appropriate for internal query layers where developers control query construction.
Build on System.Linq.Dynamic.Core with DEV.co software developers
System.Linq.Dynamic.Core simplifies runtime query construction for EF Core and LINQ. Review the security configuration guide, audit your type whitelists, and evaluate alternatives if you require pure type safety. Contact our team to assess fit for your enterprise data access layer.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
System.Linq.Dynamic.Core FAQ
Can I use this with Entity Framework Core?
Is it safe to use with untrusted user input?
What happens if I upgrade from v1.2 to v1.6?
Does the library support .NET Framework?
Software development & web development with DEV.co
Adopting System.Linq.Dynamic.Core is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.
Ready to Add Dynamic Query Capabilities?
System.Linq.Dynamic.Core simplifies runtime query construction for EF Core and LINQ. Review the security configuration guide, audit your type whitelists, and evaluate alternatives if you require pure type safety. Contact our team to assess fit for your enterprise data access layer.