From 3a5e61a832ec32f2277093e4f2c817a63a8f3ac9 Mon Sep 17 00:00:00 2001 From: Derek King Date: Tue, 17 Feb 2026 11:23:18 -0500 Subject: [PATCH] Fix critical RCE vulnerability via System.Text.Encodings.Web 4.5.0 The IdentityServer8.Security project referenced Microsoft.AspNetCore.Http.Abstractions and Microsoft.AspNetCore.Mvc.Abstractions at version 2.2.0 (.NET Core 2.2 era). These brought in a transitive dependency on System.Text.Encodings.Web 4.5.0, which has a critical RCE vulnerability (CVSS 9.8): https://github.com/advisories/GHSA-ghhp-997w-qr28 Since the project already targets net8.0, these types are available through the shared framework. Replaced the PackageReferences with a single FrameworkReference to Microsoft.AspNetCore.App, which provides all the needed types without pulling in vulnerable transitive dependencies. Co-Authored-By: Claude Opus 4.6 --- Directory.Packages.props | 2 -- .../IdentityServer8.Security.csproj | 7 +------ 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 2b0e2c7b..9f20f953 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -63,10 +63,8 @@ - - diff --git a/src/Security/IdentityServer8.Security/IdentityServer8.Security.csproj b/src/Security/IdentityServer8.Security/IdentityServer8.Security.csproj index 91f5d03b..f2443d8f 100644 --- a/src/Security/IdentityServer8.Security/IdentityServer8.Security.csproj +++ b/src/Security/IdentityServer8.Security/IdentityServer8.Security.csproj @@ -9,12 +9,7 @@ - - - - - - +