[security] Insecure transitive dependency to Microsoft.AspNetCore.Server.Kestrel.Core #718

New Issue

Open

opened 2025-12-29 08:32:56 +01:00 by adam · 5 comments

adam commented 2025-12-29 08:32:56 +01:00

Owner

Copy Link

Originally created by @Kielek on GitHub (Oct 15, 2025).

Describe the bug

Related to version 1.14.0 and probably other to.

WireMock.Net --> WireMock.Net.Minimal ----.NET Framework/.NET Standard-----> Microsoft.AspNetCore v2.2.0 ----> Microsoft.AspNetCore.Server.Kestrel.Core v2.2.0

This package contains critical security issue (9.9/10) https://github.com/advisories/GHSA-5rrx-jjjq-q2r5.

Expected behavior:

The easiest way is to bump Microsoft.AspNetCore to 2.3.0.

Test to reproduce

Just compile your code with following switches

  <PropertyGroup>
    <NuGetAudit>true</NuGetAudit>
    <NuGetAuditMode>all</NuGetAuditMode>
    <NuGetAuditLevel>low</NuGetAuditLevel>
  </PropertyGroup>

Other related info

It will be great to make the release shortly after the changes.

Originally created by @Kielek on GitHub (Oct 15, 2025). ### Describe the bug Related to version 1.14.0 and probably other to. WireMock.Net --> WireMock.Net.Minimal ----.NET Framework/.NET Standard-----> Microsoft.AspNetCore v2.2.0 ----> Microsoft.AspNetCore.Server.Kestrel.Core v2.2.0 This package contains critical security issue (9.9/10) https://github.com/advisories/GHSA-5rrx-jjjq-q2r5. ### Expected behavior: The easiest way is to bump Microsoft.AspNetCore to 2.3.0. ### Test to reproduce Just compile your code with following switches ```xml <PropertyGroup> <NuGetAudit>true</NuGetAudit> <NuGetAuditMode>all</NuGetAuditMode> <NuGetAuditLevel>low</NuGetAuditLevel> </PropertyGroup> ``` ### Other related info It will be great to make the release shortly after the changes.

adam added the bug label 2025-12-29 08:32:56 +01:00

adam commented 2025-12-29 08:32:57 +01:00

Author

Owner

Copy Link

@Kielek commented on GitHub (Oct 17, 2025):

@StefH, I have check it more deeply.
It might be not so trivial to update. To fully resolve this particular issue Microsoft.AspNetCore should be to 2.3.0 (2.2.0 is out of support) together with Microsoft.AspNetCore.Server.Kestrel.Core to 2.3.6. All this in WireMock.Net.Minimal for .NET Framework 4.6.1 , .NET Standard 2.0 and 2.1.

But it is not so simple. Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.Protocols property is marked as internal in this package version and it is conditionally set AspNetCoreSelfHost class.
What is more Microsoft.AspNetCore.Http.HttpResponse does not implement SupportsTrailers() and AppendTrailer(). Both needed by OwinResponseMapper.

There is more vulnerable dependencies in .NET Framework 4.5.1 and 4.5.2 and .NET Standard 1.3 - but all of them are our of support by the Microsoft.

Internally, I have tried to bump Microsoft.AspNetCore.Server.Kestrel.Core to 2.3.6 in OpenTelemetry test suite. As there are binary breaking changes in minor versions it basically is not working.

Looking forward for any recommendation/fixes you could provide. If there will be no possibility to fix without breaking chnages, I would consider 2.0 version with dropping support for anything older than .NET Standard 2.0/.NET Framework 4.6.2/.NET8.

@Kielek commented on GitHub (Oct 17, 2025): @StefH, I have check it more deeply. It might be not so trivial to update. To fully resolve this particular issue `Microsoft.AspNetCore` should be to `2.3.0` (`2.2.0` is out of support) together with `Microsoft.AspNetCore.Server.Kestrel.Core` to `2.3.6`. All this in `WireMock.Net.Minimal` for .NET Framework 4.6.1 , .NET Standard 2.0 and 2.1. But it is not so simple. Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.Protocols property is marked as internal in this package version and it is conditionally set `AspNetCoreSelfHost` class. What is more `Microsoft.AspNetCore.Http.HttpResponse` does not implement `SupportsTrailers()` and `AppendTrailer()`. Both needed by `OwinResponseMapper`. There is more vulnerable dependencies in .NET Framework 4.5.1 and 4.5.2 and .NET Standard 1.3 - but all of them are our of support by the Microsoft. Internally, I have tried to bump `Microsoft.AspNetCore.Server.Kestrel.Core` to `2.3.6` in OpenTelemetry test suite. As there are binary breaking changes in minor versions it basically is not working. Looking forward for any recommendation/fixes you could provide. If there will be no possibility to fix without breaking chnages, I would consider 2.0 version with dropping support for anything older than .NET Standard 2.0/.NET Framework 4.6.2/.NET8.

adam commented 2025-12-29 08:32:57 +01:00

Author

Owner

Copy Link

@StefH commented on GitHub (Oct 17, 2025):

My plan is indeed to drop a lot of framework support.

Can you check this PR?
https://github.com/wiremock/WireMock.Net/pull/1359

And validate if this could solve this issue?

@StefH commented on GitHub (Oct 17, 2025): My plan is indeed to drop a lot of framework support. Can you check this PR? https://github.com/wiremock/WireMock.Net/pull/1359 And validate if this could solve this issue?

adam commented 2025-12-29 08:32:57 +01:00

Author

Owner

Copy Link

@Kielek commented on GitHub (Oct 17, 2025):

Unfortunately, I still need to maintain packages targeted to .NET Framework 4.6.2. It will be great to keep this support also by next 2 years. Then updating to 4.7.

I will check your changes shortly.

@Kielek commented on GitHub (Oct 17, 2025): Unfortunately, I still need to maintain packages targeted to .NET Framework 4.6.2. It will be great to keep this support also by next 2 years. Then updating to 4.7. I will check your changes shortly.

adam commented 2025-12-29 08:32:58 +01:00

Author

Owner

Copy Link

@StefH commented on GitHub (Nov 23, 2025):

@Kielek
Could you check it?

@StefH commented on GitHub (Nov 23, 2025): @Kielek Could you check it?

adam commented 2025-12-29 08:32:58 +01:00

Author

Owner

Copy Link

@Kielek commented on GitHub (Nov 24, 2025):

I reviewed your PR already https://github.com/wiremock/WireMock.Net/pull/1359#issuecomment-3416912874 and I do not see any new big changes in this PR. Am I missing something?

@Kielek commented on GitHub (Nov 24, 2025): I reviewed your PR already https://github.com/wiremock/WireMock.Net/pull/1359#issuecomment-3416912874 and I do not see any new big changes in this PR. Am I missing something?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

mime-part-matcher

version-2.x

MappingSerializer

1341-mapping-json

stef-aspire-tests-updates

bug/973-TinyMapper

bug/1149-AppendGuidToSavedMappingFile

feature/1150-DockerImageVersion

61

stef-1108

stef-1097

stef-1083-MessageOptions_Type_Conflict

stef-1062-logger

stef-IgnoreOpenApiErrors

stef-928-TypeLoadException-FluentAssertions-net472

nunit

stef-849

stef-847-regex-questionmark

http_verb

WireMockServerContext

webapp

ai

CommandLineArgumentsParser

1.23.0

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.0

1.15.0

1.14.0

1.13.0

1.12.0

1.11.2

1.11.0

1.10.1

1.10.0

1.9.1

1.9.0

1.8.18

1.8.17

1.8.16

1.8.15

1.8.14

1.8.13

1.8.12

1.8.11

1.8.10

1.8.9

1.8.8

1.8.7

1.8.6

1.8.5

1.8.3

1.8.2

1.8.1

1.8.0

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.12

1.6.11

1.6.10

1.6.9

1.6.8

1.6.7

1.6.6

1.6.5

1.6.4

1.6.3

1.6.2

1.6.1

1.6.0

1.5.62

1.5.61

1.5.60

1.5.59

1.5.58

1.5.57

1.5.56

1.5.55

1.5.54

1.5.53

1.5.52

1.5.51

1.5.50

1.5.49

1.5.48

1.5.47

1.5.46

1.5.45

1.5.44

1.5.43

1.5.42

1.5.41

1.5.40

1.5.39

1.5.38

1.5.37

1.5.36

1.5.35

1.5.34

1.5.33

1.5.32

1.5.31

1.5.30

1.5.29

1.5.28

1.5.27

1.5.26

1.5.25

1.5.24

1.5.23

1.5.22

1.5.21

1.5.20

1.5.19

1.5.18

1.5.17

1.5.16

1.5.15

1.5.14

1.5.13

1.5.12

1.5.11

1.5.10

1.5.9

1.5.8

1.5.7

1.5.6

1.5.5

1.5.4

1.5.3

1.5.2

1.5.1

1.5.0

1.4.43

1.4.42

1.4.41

1.4.40

1.4.39

1.4.38

1.4.37

1.4.36

1.4.35

1.4.34

1.4.33

1.4.32

1.4.31

1.4.30

1.4.29

1.4.28

1.4.27

1.4.26

1.4.25

1.4.24

1.4.23

1.4.22

1.4.21

1.4.20

1.4.19

1.4.18

1.4.17

1.4.16

1.4.15

1.4.14

1.4.13

1.4.12

1.4.11

1.4.10

1.4.9

1.4.8

1.4.7

1.4.6

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.10

1.3.9

1.3.8

1.3.6

1.3.5

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.18

1.2.17

1.2.16

1.2.15

1.2.14

1.2.13

1.2.12

1.2.11.0

1.2.10

1.2.9.0

1.2.8.0

1.2.7.0

1.2.6.0

1.2.5.0

1.2.4.0

1.2.3.0

1.2.2.0

1.2.1.0

1.2.0.0

1.1.10

1.1.9.0

1.1.8.0

1.1.7.0

1.1.6.0

1.1.5.0

1.1.3.0

1.1.2.0

1.1.1.0

1.1.0.0

1.0.43.0

1.0.42.0

1.0.41.0

1.0.40.0

1.0.39.0

1.0.38.0

1.0.37.0

1.0.36.0

1.0.35.0

1.0.34.0

1.0.33.0

1.0.32.0

1.0.31.0

1.0.29.0

1.0.28.0

1.0.25.0

1.0.24.0

1.0.23.0

1.0.22.0

1.0.21.0

1.0.20.0

1.0.19.0

1.0.18.0

1.0.17.0

1.0.16.0

1.0.15.0

1.0.14.0

1.0.13.0

1.0.12.0

1.0.11.0

1.0.10.0

1.0.9.0

1.0.8.0

1.0.7.0

1.0.6.1

1.0.6

1.0.5

1.0.4.21

1.0.4.20

1.0.4.19

1.0.4.18

1.0.4.17

1.0.4.16

1.0.4.15

1.0.4.14

1.0.4.13

1.0.4.12

1.0.4.11

1.0.4.10

1.0.4.9

1.0.4.8

1.0.4.7

1.0.4.6

1.0.4.5

1.0.4.4

1.0.4.3

1.0.4.2

1.0.4.1

1.0.4.0

1.0.3.20

1.0.3.19

1.0.3.18

1.0.3.17

1.0.3.16

1.0.3.15

1.0.3.14

1.0.3.13

1.0.3.12

1.0.3.11

1.0.3.10

1.0.3.9

1.0.3.8

1.0.3.7

1.0.3.6

1.0.3.5

1.0.3.4

1.0.3.3

1.0.3.2

1.0.3.1

1.0.3.0

1.0.2.13

1.0.2.12

1.0.2.11

1.0.2.10

1.0.2.9

1.0.2.8

1.0.2.7

1.0.2.6

1.0.2.5

1.0.2.4

1.0.2.1

1.0.2.0

1.0.1.5

1.0.1.3

1.0.1.2

1.0.1.1

1.0.0.0

Labels

Clear labels

bug

bug

doc

doc

duplicate

feature

feature

invalid

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/WireMock.Net#718