Remote Code Execution security vulnerability through transitive dependency on system.text.encodings.web
adrian-ubalde opened this issue ยท 0 comments
Hello RazorLight team ๐ ,
A recent security vulnerability scan of my application (which has a dependency on RazorLight@2.0.0-rc.3) via the Snyk scan tool, has detected a Remote Code Execution security vulnerability (please see attached screenshot for details).
There is a security vulnerability on the system.text.encodings.web package (detailed here on the Snyk website and in the dotnet website) which the RazorLight@2.0.0-rc.3 package has a transitive dependency on (via direct dependencies on Microsoft.AspNetCore.Html.Abstractions@2.1.0, Microsoft.AspNetCore.Hosting.Abstractions@2.1.0, Microsoft.AspNetCore.Razor.Runtime@2.1.0, Microsoft.AspNetCore.Razor.Runtime@2.1.0).
I was looking to see if there is an available patch for this vulnerability on the Nuget website but I didn't see one. I'm wondering if there are any plans to create a patch for this vulernability?
Thank you in advance.
Kind regards,
Adrian
