WireMock.Net icon indicating copy to clipboard operation
WireMock.Net copied to clipboard
Published 1 month ago verified publisher icon wiremock

[security] Insecure transitive dependency to Microsoft.AspNetCore.Server.Kestrel.Core

Open Kielek opened this issue 3 months ago • 5 comments

Describe the bug

Related to version 1.14.0 and probably other to.

WireMock.Net --> WireMock.Net.Minimal ----.NET Framework/.NET Standard-----> Microsoft.AspNetCore v2.2.0 ----> Microsoft.AspNetCore.Server.Kestrel.Core v2.2.0

This package contains critical security issue (9.9/10) https://github.com/advisories/GHSA-5rrx-jjjq-q2r5.

Expected behavior:

The easiest way is to bump Microsoft.AspNetCore to 2.3.0.

Test to reproduce

Just compile your code with following switches

  <PropertyGroup>
    <NuGetAudit>true</NuGetAudit>
    <NuGetAuditMode>all</NuGetAuditMode>
    <NuGetAuditLevel>low</NuGetAuditLevel>
  </PropertyGroup>

Other related info

It will be great to make the release shortly after the changes.

Kielek avatar Oct 15 '25 16:10 Kielek

@StefH, I have check it more deeply. It might be not so trivial to update. To fully resolve this particular issue Microsoft.AspNetCore should be to 2.3.0 (2.2.0 is out of support) together with Microsoft.AspNetCore.Server.Kestrel.Core to 2.3.6. All this in WireMock.Net.Minimal for .NET Framework 4.6.1 , .NET Standard 2.0 and 2.1.

But it is not so simple. Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.Protocols property is marked as internal in this package version and it is conditionally set AspNetCoreSelfHost class. What is more Microsoft.AspNetCore.Http.HttpResponse does not implement SupportsTrailers() and AppendTrailer(). Both needed by OwinResponseMapper.

There is more vulnerable dependencies in .NET Framework 4.5.1 and 4.5.2 and .NET Standard 1.3 - but all of them are our of support by the Microsoft.

Internally, I have tried to bump Microsoft.AspNetCore.Server.Kestrel.Core to 2.3.6 in OpenTelemetry test suite. As there are binary breaking changes in minor versions it basically is not working.

Looking forward for any recommendation/fixes you could provide. If there will be no possibility to fix without breaking chnages, I would consider 2.0 version with dropping support for anything older than .NET Standard 2.0/.NET Framework 4.6.2/.NET8.

Kielek avatar Oct 17 '25 06:10 Kielek

My plan is indeed to drop a lot of framework support.

Can you check this PR? https://github.com/wiremock/WireMock.Net/pull/1359

And validate if this could solve this issue?

StefH avatar Oct 17 '25 07:10 StefH

Unfortunately, I still need to maintain packages targeted to .NET Framework 4.6.2. It will be great to keep this support also by next 2 years. Then updating to 4.7.

I will check your changes shortly.

Kielek avatar Oct 17 '25 07:10 Kielek

@Kielek Could you check it?

StefH avatar Nov 23 '25 09:11 StefH

I reviewed your PR already https://github.com/wiremock/WireMock.Net/pull/1359#issuecomment-3416912874 and I do not see any new big changes in this PR. Am I missing something?

Kielek avatar Nov 24 '25 05:11 Kielek