Request to upgrade System.Text.RegularExpressions referenced in the sdk from 4.3.0 to 4.3.1.

Question

Request to upgrade System.Text.RegularExpressions referenced in the sdk from 4.3.0 to 4.3.1.

vnagalingam opened this issue 3 years ago · 1 comments

Issue Summary

Running a SCA scan ( veracode) on twilio-sharp package reports the following vulnerability
Denial Of Service (DoS)
.NET Core is vulnerable to denial of service (DoS). It is due to lack of timeouts enforcement for regular expressions.
7.0
High
Data Source: Public Disclosure
Vulnerability ID: CVE-2019-0820

Details

Affected Library: System.Text.RegularExpressions, NUGET, system.text.regularexpressions
Type: Transitive dependency
Affected Version In Use: 4.3.0
Released On: 15 Nov 2016 00:00AM GMT

Suggested Fix

This issue was fixed in version 4.3.1 of System.Text.RegularExpressions. That version is currently considered safe, we suggest that you upgrade to the fixed version.

Technical details:

twilio-csharp version: 5.71.0
csharp version: net5.0

Answer 1 · 2022-02-18T16:29:13.000Z

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.