Azure-Functions icon indicating copy to clipboard operation
Azure-Functions copied to clipboard
verified publisher icon Azure

Microsoft.Azure.Functions.Worker.Sdk pulling vulnerable Newtonsoft.Json 10.0.2

Open Naveen194 opened this issue 4 months ago • 4 comments

I am trying to create a function app using Microsoft.Azure.Functions.Worker.Sdk (2.0.5). It internally tries to pull Newtonsoft.json 10.0.2 even though it is not mentioned as dependency. This newtonsoft is a vulnerable version and hence I am getting package restore error from my nuget feed. The feed lists package 'Newtonsoft.Json.10.0.2' but multiple attempts to download the nupkg have failed. The feed is either invalid or required packages were removed while the current operation was in progress. Verify the package exists on the feed and try again. 1>Failed to restore C:\Users\jmy9smc\source\repos\WebApplication1\WebApplication1\obj\Debug\net8.0\WorkerExtensions\WorkerExtensions.csproj (in 10.37 sec).

I tried many solutions such as forcing the version in csproj file(13.0.3), setting privateassets to all, but nothing worked.

Can someone who owns this package - Microsoft.Azure.Functions.Worker.Sdk, upgrade the Newtonsoft.Json version please.

Naveen194 avatar Aug 08 '25 12:08 Naveen194

Can you provide a minimal repro? I tried this down below and couldn't repro the issue, installed the latest template since mine were outdated for some reason even though I installed the latest Azure Functions Core Tools 4.1.0. The latest template uses Microsoft.Azure.Functions.Worker.Sdk 2.0.5

➜ dotnet new install Microsoft.Azure.Functions.Worker.ProjectTemplates::4.0.5212 ➜ dotnet new func --Framework net8.0 --AzureFunctionsVersion v4 --name pulling-vuln-newtonsoftjson-issue2624 --StorageConnectionStringValue UseDevelopmentStorage=true --force The template "Azure Functions" was created successfully.

Processing post-creation actions... Restoring C:\repos\repros\azure-functions\pulling-vuln-newtonsoftjson-issue2624\pulling-vuln-newtonsoftjson-issue2624.csproj: Restore succeeded.

➜ dotnet list package --include-transitive --vulnerable Restore complete (0,3s)

Build succeeded in 0,5s

The following sources were used: https://api.nuget.org/v3/index.json

The given project pulling-vuln-newtonsoftjson-issue2624 has no vulnerable packages given the current sources.

➜ dotnet nuget why .\pulling-vuln-newtonsoftjson-issue2624.csproj Newtonsoft.Json Project 'pulling-vuln-newtonsoftjson-issue2624' does not have a dependency on 'Newtonsoft.Json'.

EDIT: Also tried to add an HTTP trigger to check if that would make it repro but no change

➜ func new --template HttpTrigger --name AnHttpTrigger

➜ func --version 4.1.0

Using .NET SDK 8.0.413

It's not showing any usage of Newtonsoft.Json so it must be something else in your project/solution that tries to pull it in.

Frulfump avatar Aug 08 '25 17:08 Frulfump

Hi @Frulfump , Thanks for your comment. Actually it will work when we use api.nuget org as there is no restriction for packages. Since I am using private nuget, the corresponding newtonsoft version 10.0.2 is classified as vulnerable one where I won't be able to pull the package.

This happens only if I use Microsoft.Azure.Functions.Worker.Sdk package.It is somehow internally trying to pull Newtonsoft.json 10.0.2 which is the problem here.

Naveen194 avatar Aug 22 '25 14:08 Naveen194

@Naveen194 Interesting, 10.0.2 is also marked as vulnerable on NuGet.org but I see if you use another feed that might block downloads or modify packages it could cause issues then.

I don't see Newtonsoft.Json as a dependency as stated above. If you run dotnet nuget why <your csproj or sln> Newtonsoft.Json what do you see then? It should tell you why Newtonsoft.Json is a part of your dependency graph when using the private feed. If you use NuGet.org and do dotnet nuget why <your csproj or sln> Newtonsoft.Json do you see a different result?

Note: 10.0.2 is very old released 2017-04-02

Frulfump avatar Aug 22 '25 17:08 Frulfump

Hi @Frulfump , I checked the output of Newtonsoft.Json dependencies with and without nuget.org. The results are same. All the references are showing 13.0.3 which I added in the csproj file. There was no reference to 10.0.2 but it still somehow tries to pull it. Below the actions I performed. 1.Removed nuget.org source 2.Tried to restore and got Newtonsoft.json 10.0.2 error. 3.Dependency graph shows as 13.0.3. 4.Added the source nuget.org. 5.Restore passed. No build error. 6.Now tried to check the dependency graph. It still shows the same 13.0.3

Naveen194 avatar Sep 04 '25 14:09 Naveen194