.NET: Request 1.3.1 patch release — OpenTelemetry.Api GHSA-g94r-2vxg-569j still present in published NuGet packages

[joslat]

Summary

PR #5478 fixed the OpenTelemetry.Api GHSA-g94r-2vxg-569j vulnerability in the MAF source tree, but it was merged ~13 hours after the dotnet-1.3.0 NuGet packages were published. As a result, downstream .NET consumers who reference Microsoft.Agents.AI 1.3.0 (or any 1.3.x package) via NuGet still receive OpenTelemetry.Api 1.15.0 transitively — the vulnerable version.

Affected releases

NuGet package	Version	Published	Transitive OpenTelemetry.Api
Microsoft.Agents.AI	1.3.0	2026-04-24 09:18 UTC	1.15.0 ⚠️
Microsoft.Agents.AI.OpenAI	1.3.0	2026-04-24 09:18 UTC	1.15.0 ⚠️
Microsoft.Agents.AI.Workflows	1.3.0	2026-04-24 09:18 UTC	1.15.0 ⚠️

Vulnerability details

• Advisory: GHSA-g94r-2vxg-569j — OpenTelemetry.Api ≥ 1.0.0, < 1.15.3, Severity: Moderate
• Patched in: OpenTelemetry.Api 1.15.3
• Trigger: dotnet list package --vulnerable --include-transitive reports NU1902 (Warning as Error in most CI configurations)

Impact on downstream consumers

Any .NET project that adds <PackageReference Include="Microsoft.Agents.AI" Version="1.3.0" /> will resolve OpenTelemetry.Api 1.15.0 transitively unless they apply their own override. NuGet Central Package Management (CPM) users are especially at risk: a <PackageVersion> entry for OpenTelemetry.Api in Directory.Packages.props is silently ignored for transitive packages unless CentralPackageTransitivePinningEnabled=true is also set.

Workaround (for consumers until a patch is released)

In Directory.Packages.props:

<PropertyGroup>
  <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>

<ItemGroup>
  <!-- GHSA-g94r-2vxg-569j: force patched transitive dep from MAF 1.3.0 -->
  <PackageVersion Include="OpenTelemetry.Api" Version="1.15.3" />
</ItemGroup>

For projects that opt out of CPM (ManagePackageVersionsCentrally=false), add an explicit direct reference:

<PackageReference Include="OpenTelemetry.Api" Version="1.15.3" />

Requested action

Please cut a .NET 1.3.1 patch release from the current main (which already contains the fix from PR #5478) so that:

1. The published NuGet packages declare OpenTelemetry.Api >= 1.15.3 in their dependency graph.
2. Consumers no longer need to apply manual overrides.
3. dotnet list package --vulnerable --include-transitive reports clean results for MAF consumers without workarounds.

This is a straightforward patch release — no API changes, only the version bump already merged in PR #5478.

---

Note: Issue #5481 (now closed) tracked the internal build fix. This issue tracks the missing patch release for the published NuGet packages.

[joslat]

Additional finding: Microsoft.Extensions.Hosting.Abstractions version floor

While applying a workaround for the OpenTelemetry.Api issue above, I hit a second dependency problem in the published 1.3.0 packages.

What happens

Enabling CentralPackageTransitivePinningEnabled=true in a consumer project (which is the correct workaround to force CPM to honour the OpenTelemetry.Api 1.15.3 override) immediately triggers:

NU1109: Package 'Azure.Identity' 1.18.0 has a minimum version requirement
of 'Microsoft.Extensions.Hosting.Abstractions' >= 10.0.3, but version
9.0.0 was resolved.

Azure.Identity 1.18.0 is itself a transitive dependency of the 1.3.0 packages. Its minimum requirement for Microsoft.Extensions.Hosting.Abstractions is >= 10.0.3, but the 1.3.0 .nuspec / lock apparently allows 9.0.0 to resolve — so when transitive pinning is on, NuGet surfaces the conflict.

Affected packages

Same set as the OpenTelemetry issue: Microsoft.Agents.AI, Microsoft.Agents.AI.OpenAI, Microsoft.Agents.AI.Workflows — all 1.3.0.

Workaround (on top of the one already in the issue body)

In addition to the OpenTelemetry.Api pin, consumers also need:

<!-- Azure.Identity 1.18.0 (transitive via MAF 1.3.0) requires >= 10.0.3 -->
<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.3" />
<PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="10.0.3" />

Both packages target netstandard2.0 / net8.0, so bumping to 10.0.3 is safe for net8, net9, and net10 TFMs.

Recommendation

This further strengthens the case for a 1.3.1 patch — ideally with both:

1. OpenTelemetry.* bumped to 1.15.3 (already in main via PR .NET: Bump OpenTelemetry packages to 1.15.3 #5478)
2. Microsoft.Extensions.Hosting.Abstractions minimum floor raised to 10.0.3 in the Azure.Identity dependency chain

Happy to test a 1.3.1 pre-release against AgentEval if that's helpful.