Skip to content

Multiple vulnerabilities detected #297

New issue
New issue
Open
Open
Multiple vulnerabilities detected#297
@tavanuka

Description

@tavanuka
tavanuka
opened on Aug 30, 2025

Hello,
According to Rider code analysis and advisory, it has detected that it has been flagged with multiple vulnerabilities:

CVE-2019-0820

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981. After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

According to the passage, that would only affect the Reinforced.Typings.Dev solution - more specifically:
Image
Could there be any potential vulnerabilities used an

CVE-2024-21907

Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.

This applies to coverlet.collector version 1.3.0 in the Reinforced.Typings.Dev tests project.

Microsoft.NETCore.App 2.1

GHSA-5633-f33j-c6f7 (Severity: Moderate)
GHSA-6px8-22w5-w334 (Severity: High)
GHSA-x5qj-9vmx-7g6g (Severity: Moderate)
GHSA-2xjx-v99w-gqf3 (Severity: High)
GHSA-vgwq-hfqc-58wv (Severity: Moderate)
GHSA-g5vf-38cp-4px9 (Severity: High)
GHSA-3w5p-jhp5-c29q (Severity: High)
GHSA-3gp9-h8hw-pxpw (Severity: Moderate)

Should support for this version be dropped for the Reinforced.Typings.NETCore solution?

Microsoft.NETCore.App 2.2

GHSA-6px8-22w5-w334 (Severity: high)
GHSA-2xjx-v99w-gqf3 (Severity: high)
GHSA-x5qj-9vmx-7g6g (Severity: moderate)

Same here. Due to .NET deprecation efforts, should support for .NETCore be dropped in favour for .NET, .NET framework and .NET Standard?

I am not familiar with the development environment for this project, so please bear with me after my quick look around. Feedback is appreciated

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions