Skip to content

Fix critical RCE via System.Text.Encodings.Web 4.5.0#63

Open
derekbking wants to merge 1 commit into
alexhiggins732:masterfrom
derekbking:fix/cve-system-text-encodings-web
Open

Fix critical RCE via System.Text.Encodings.Web 4.5.0#63
derekbking wants to merge 1 commit into
alexhiggins732:masterfrom
derekbking:fix/cve-system-text-encodings-web

Conversation

@derekbking

@derekbking derekbking commented Feb 17, 2026

Copy link
Copy Markdown

Summary

  • Fix critical RCE vulnerability (CVSS 9.8) caused by transitive dependency on System.Text.Encodings.Web 4.5.0
  • Replace outdated Microsoft.AspNetCore.Http.Abstractions 2.2.0 and Microsoft.AspNetCore.Mvc.Abstractions 2.2.0 PackageReferences with a single FrameworkReference to Microsoft.AspNetCore.App
  • Since the project targets net8.0, these types are already available through the shared framework — no need for separate NuGet packages from the .NET Core 2.2 era

Vulnerability Details

  • CVE: GHSA-ghhp-997w-qr28
  • Package: System.Text.Encodings.Web 4.5.0
  • Severity: Critical (CVSS 9.8)
  • Dependency chain: IdentityServer8.SecurityMicrosoft.AspNetCore.Http.Abstractions 2.2.0 → System.Text.Encodings.Web 4.5.0

Test plan

  • Solution builds with 0 errors
  • All existing tests pass
  • Verify no System.Text.Encodings.Web < 8.0.0 in dependency tree

Disclosure: This PR was generated with the assistance of AI (Claude Code by Anthropic).

The IdentityServer8.Security project referenced Microsoft.AspNetCore.Http.Abstractions
and Microsoft.AspNetCore.Mvc.Abstractions at version 2.2.0 (.NET Core 2.2 era).
These brought in a transitive dependency on System.Text.Encodings.Web 4.5.0,
which has a critical RCE vulnerability (CVSS 9.8):
GHSA-ghhp-997w-qr28

Since the project already targets net8.0, these types are available through the
shared framework. Replaced the PackageReferences with a single FrameworkReference
to Microsoft.AspNetCore.App, which provides all the needed types without pulling
in vulnerable transitive dependencies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@derekbking derekbking force-pushed the fix/cve-system-text-encodings-web branch from 82ec450 to 3a5e61a Compare February 17, 2026 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant