Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-55247 (GCVE-0-2025-55247)
Vulnerability from cvelistv5 – Published: 2025-10-14 17:00 – Updated: 2026-02-22 17:24
VLAI?
EPSS
Title
.NET Elevation of Privilege Vulnerability
Summary
Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.
Severity ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T13:49:15.190184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T13:49:44.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": ".NET 8.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "8.0.21",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"product": ".NET 9.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "9.0.10",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.21",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
"versionEndExcluding": "9.0.10",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-10-14T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Improper link resolution before file access (\u0027link following\u0027) in .NET allows an authorized attacker to elevate privileges locally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-22T17:24:10.799Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": ".NET Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247"
}
],
"title": ".NET Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-55247",
"datePublished": "2025-10-14T17:00:09.501Z",
"dateReserved": "2025-08-11T20:26:16.634Z",
"dateUpdated": "2026-02-22T17:24:10.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55247\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-15T13:49:15.190184Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-15T13:49:39.352Z\"}}], \"cna\": {\"title\": \".NET Elevation of Privilege Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Microsoft\", \"product\": \".NET 8.0\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.0.21\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Microsoft\", \"product\": \".NET 9.0\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.0.10\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2025-10-14T14:00:00.000Z\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247\", \"name\": \".NET Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Improper link resolution before file access (\u0027link following\u0027) in .NET allows an authorized attacker to elevate privileges locally.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"8.0.21\", \"versionStartIncluding\": \"8.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"9.0.10\", \"versionStartIncluding\": \"9.0.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2026-02-22T17:24:10.799Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-55247\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-22T17:24:10.799Z\", \"dateReserved\": \"2025-08-11T20:26:16.634Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2025-10-14T17:00:09.501Z\", \"assignerShortName\": \"microsoft\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2025-AVI-0880
Vulnerability from certfr_avis - Published: 2025-10-15 - Updated: 2025-10-15
De multiples vulnérabilités ont été découvertes dans Microsoft .Net. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | .Net | .NET 8.0 installé sur Mac OS versions antérieures à 8.0.21 | ||
| Microsoft | .Net | Microsoft .NET Framework 4.8 versions antérieures à 4.8.04798.04 | ||
| Microsoft | .Net | .NET 9.0 installé sur Linux versions antérieures à 9.0.10 | ||
| Microsoft | .Net | ASP.NET Core 9.0 versions antérieures à 9.0.10 | ||
| Microsoft | .Net | Microsoft .NET Framework 3.5 et 4.7.2 versions antérieures à 10.0.14393.8519 | ||
| Microsoft | .Net | Microsoft .NET Framework 3.5.1 versions antérieures à 2.0.50727.8981 | ||
| Microsoft | .Net | Microsoft .NET Framework 2.0 Service Pack 2 versions antérieures à 2.0.50727.8981 | ||
| Microsoft | .Net | Microsoft .NET Framework 3.0 Service Pack 2 versions antérieures à 2.0.50727.8981 | ||
| Microsoft | .Net | .NET 9.0 installé sur Mac OS versions antérieures à 9.0.10 | ||
| Microsoft | .Net | ASP.NET Core 2.3 versions antérieures à 2.3.6 | ||
| Microsoft | .Net | ASP.NET Core 8.0 versions antérieures à 8.0.21 | ||
| Microsoft | .Net | Microsoft .NET Framework 3.5 versions antérieures à 2.0.50727.8981 | ||
| Microsoft | .Net | Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 versions antérieures à 4.7.04137.06 | ||
| Microsoft | .Net | Microsoft .NET Framework 3.5 et 4.8.1 versions antérieures à 4.8.1.09321.01 | ||
| Microsoft | .Net | .NET 8.0 installé sur Linux versions antérieures à 8.0.21 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": ".NET 8.0 install\u00e9 sur Mac OS versions ant\u00e9rieures \u00e0 8.0.21",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 4.8 versions ant\u00e9rieures \u00e0 4.8.04798.04",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": ".NET 9.0 install\u00e9 sur Linux versions ant\u00e9rieures \u00e0 9.0.10",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "ASP.NET Core 9.0 versions ant\u00e9rieures \u00e0 9.0.10",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 3.5 et 4.7.2 versions ant\u00e9rieures \u00e0 10.0.14393.8519",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 3.5.1 versions ant\u00e9rieures \u00e0 2.0.50727.8981",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 2.0 Service Pack 2 versions ant\u00e9rieures \u00e0 2.0.50727.8981",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 3.0 Service Pack 2 versions ant\u00e9rieures \u00e0 2.0.50727.8981",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": ".NET 9.0 install\u00e9 sur Mac OS versions ant\u00e9rieures \u00e0 9.0.10",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "ASP.NET Core 2.3 versions ant\u00e9rieures \u00e0 2.3.6",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "ASP.NET Core 8.0 versions ant\u00e9rieures \u00e0 8.0.21",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 3.5 versions ant\u00e9rieures \u00e0 2.0.50727.8981",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 versions ant\u00e9rieures \u00e0 4.7.04137.06",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft .NET Framework 3.5 et 4.8.1 versions ant\u00e9rieures \u00e0 4.8.1.09321.01",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": ".NET 8.0 install\u00e9 sur Linux versions ant\u00e9rieures \u00e0 8.0.21",
"product": {
"name": ".Net",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-55248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55248"
},
{
"name": "CVE-2025-55247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55247"
},
{
"name": "CVE-2025-55315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55315"
}
],
"initial_release_date": "2025-10-15T00:00:00",
"last_revision_date": "2025-10-15T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0880",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft .Net. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft .Net",
"vendor_advisories": [
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft .Net CVE-2025-55315",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft .Net CVE-2025-55247",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft .Net CVE-2025-55248",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55248"
}
]
}
CERTFR-2025-AVI-0897
Vulnerability from certfr_avis - Published: 2025-10-20 - Updated: 2025-10-20
De multiples vulnérabilités ont été découvertes dans Tenable Identity Exposure. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Tenable | Identity Exposure | Identity Exposure versions antérieures à 3.93.4 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Identity Exposure versions ant\u00e9rieures \u00e0 3.93.4",
"product": {
"name": "Identity Exposure",
"vendor": {
"name": "Tenable",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-55248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55248"
},
{
"name": "CVE-2025-55247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55247"
},
{
"name": "CVE-2025-55315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55315"
}
],
"initial_release_date": "2025-10-20T00:00:00",
"last_revision_date": "2025-10-20T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0897",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Tenable Identity Exposure. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Tenable Identity Exposure",
"vendor_advisories": [
{
"published_at": "2025-10-17",
"title": "Bulletin de s\u00e9curit\u00e9 Tenable tns-2025-22",
"url": "https://www.tenable.com/security/tns-2025-22"
}
]
}
CERTFR-2025-AVI-0958
Vulnerability from certfr_avis - Published: 2025-11-04 - Updated: 2025-11-04
De multiples vulnérabilités ont été découvertes dans Tenable Identity Exposure. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Tenable | Identity Exposure | Identity Exposure versions antérieures à 3.77.14 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Identity Exposure versions ant\u00e9rieures \u00e0 3.77.14",
"product": {
"name": "Identity Exposure",
"vendor": {
"name": "Tenable",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-10148",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-10148"
},
{
"name": "CVE-2025-55248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55248"
},
{
"name": "CVE-2025-47997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47997"
},
{
"name": "CVE-2025-55247",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55247"
},
{
"name": "CVE-2025-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9086"
},
{
"name": "CVE-2025-49719",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49719"
},
{
"name": "CVE-2025-49718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49718"
},
{
"name": "CVE-2025-55315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55315"
}
],
"initial_release_date": "2025-11-04T00:00:00",
"last_revision_date": "2025-11-04T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0958",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-04T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Tenable Identity Exposure. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Tenable Identity Exposure",
"vendor_advisories": [
{
"published_at": "2025-11-03",
"title": "Bulletin de s\u00e9curit\u00e9 Tenable tns-2025-23",
"url": "https://www.tenable.com/security/tns-2025-23"
}
]
}
FKIE_CVE-2025-55247
Vulnerability from fkie_nvd - Published: 2025-10-14 17:15 - Updated: 2025-10-23 15:08
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
"matchCriteriaId": "252864D6-F259-4CF9-B811-EFFE60E1C29A",
"versionEndExcluding": "8.0.21",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1772BCDE-28E4-45DB-90B3-51BEE1FEBC92",
"versionEndExcluding": "9.0.10",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper link resolution before file access (\u0027link following\u0027) in .NET allows an authorized attacker to elevate privileges locally."
}
],
"id": "CVE-2025-55247",
"lastModified": "2025-10-23T15:08:42.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-14T17:15:44.623",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
}
cve-2025-55247
Vulnerability from osv_almalinux
Published
2025-10-15 00:00
Modified
2025-11-03 08:46
Summary
Important: .NET 8.0 security update
Details
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.121 and .NET Runtime 8.0.21.Security Fix(es):
- dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)
- dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)
- dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "aspnetcore-runtime-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "aspnetcore-runtime-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "aspnetcore-targeting-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-apphost-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-hostfxr-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-runtime-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-runtime-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-sdk-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-sdk-8.0-source-built-artifacts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-sdk-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-targeting-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-templates-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": ".NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. \n\nNew versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.121 and .NET Runtime 8.0.21.Security Fix(es): \n\n * dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)\n * dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)\n * dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:18152",
"modified": "2025-11-03T08:46:41Z",
"published": "2025-10-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:18152"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55247"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55248"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55315"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403083"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403085"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403086"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2025-18152.html"
}
],
"related": [
"CVE-2025-55248",
"CVE-2025-55315",
"CVE-2025-55247"
],
"summary": "Important: .NET 8.0 security update"
}
cve-2025-55247
Vulnerability from osv_almalinux
Published
2025-10-15 00:00
Modified
2025-10-20 12:11
Summary
Important: .NET 8.0 security update
Details
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.121 and .NET Runtime 8.0.21.Security Fix(es):
- dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)
- dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)
- dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aspnetcore-runtime-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aspnetcore-runtime-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aspnetcore-targeting-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-apphost-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-hostfxr-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-runtime-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-runtime-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-sdk-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-sdk-8.0-source-built-artifacts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-sdk-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-targeting-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-templates-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": ".NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. \n\nNew versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.121 and .NET Runtime 8.0.21.Security Fix(es): \n\n * dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)\n * dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)\n * dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:18148",
"modified": "2025-10-20T12:11:02Z",
"published": "2025-10-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:18148"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55247"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55248"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55315"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403083"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403085"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403086"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2025-18148.html"
}
],
"related": [
"CVE-2025-55248",
"CVE-2025-55315",
"CVE-2025-55247"
],
"summary": "Important: .NET 8.0 security update"
}
cve-2025-55247
Vulnerability from osv_almalinux
Published
2025-10-15 00:00
Modified
2025-11-03 08:55
Summary
Important: .NET 9.0 security update
Details
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.111 and .NET Runtime 9.0.10.Security Fix(es):
- dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)
- dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)
- dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aspnetcore-runtime-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aspnetcore-runtime-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aspnetcore-targeting-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-apphost-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-host"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-hostfxr-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-runtime-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-runtime-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-sdk-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-sdk-9.0-source-built-artifacts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-sdk-aot-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-sdk-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-targeting-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "dotnet-templates-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "netstandard-targeting-pack-2.1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": ".NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. \n\nNew versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.111 and .NET Runtime 9.0.10.Security Fix(es): \n\n * dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)\n * dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)\n * dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:18150",
"modified": "2025-11-03T08:55:12Z",
"published": "2025-10-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:18150"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55247"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55248"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55315"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403083"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403085"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403086"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2025-18150.html"
}
],
"related": [
"CVE-2025-55248",
"CVE-2025-55315",
"CVE-2025-55247"
],
"summary": "Important: .NET 9.0 security update"
}
cve-2025-55247
Vulnerability from osv_almalinux
Published
2025-10-15 00:00
Modified
2025-11-03 08:44
Summary
Important: .NET 9.0 security update
Details
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.111 and .NET Runtime 9.0.10.Security Fix(es):
- dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)
- dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)
- dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "aspnetcore-runtime-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "aspnetcore-runtime-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "aspnetcore-targeting-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-apphost-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-host"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-hostfxr-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-runtime-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-runtime-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-sdk-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-sdk-9.0-source-built-artifacts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-sdk-aot-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-sdk-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-targeting-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "dotnet-templates-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "netstandard-targeting-pack-2.1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": ".NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. \n\nNew versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.111 and .NET Runtime 9.0.10.Security Fix(es): \n\n * dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)\n * dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)\n * dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:18153",
"modified": "2025-11-03T08:44:34Z",
"published": "2025-10-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:18153"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55247"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55248"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55315"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403083"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403085"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403086"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2025-18153.html"
}
],
"related": [
"CVE-2025-55248",
"CVE-2025-55315",
"CVE-2025-55247"
],
"summary": "Important: .NET 9.0 security update"
}
cve-2025-55247
Vulnerability from osv_almalinux
Published
2025-10-15 00:00
Modified
2025-11-03 08:48
Summary
Important: .NET 9.0 security update
Details
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.111 and .NET Runtime 9.0.10.Security Fix(es):
- dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)
- dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)
- dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "aspnetcore-runtime-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "aspnetcore-runtime-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "aspnetcore-targeting-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-apphost-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-host"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-hostfxr-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-runtime-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-runtime-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-sdk-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-sdk-9.0-source-built-artifacts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-sdk-aot-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-sdk-dbg-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-targeting-pack-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.10-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-templates-9.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "netstandard-targeting-pack-2.1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.111-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": ".NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. \n\nNew versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.111 and .NET Runtime 9.0.10.Security Fix(es): \n\n * dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)\n * dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)\n * dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:18151",
"modified": "2025-11-03T08:48:44Z",
"published": "2025-10-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:18151"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55247"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55248"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55315"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403083"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403085"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403086"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2025-18151.html"
}
],
"related": [
"CVE-2025-55248",
"CVE-2025-55315",
"CVE-2025-55247"
],
"summary": "Important: .NET 9.0 security update"
}
cve-2025-55247
Vulnerability from osv_almalinux
Published
2025-10-15 00:00
Modified
2025-10-20 12:28
Summary
Important: .NET 8.0 security update
Details
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.121 and .NET Runtime 8.0.21.Security Fix(es):
- dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)
- dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)
- dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "aspnetcore-runtime-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "aspnetcore-runtime-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "aspnetcore-targeting-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-apphost-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-hostfxr-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-runtime-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-runtime-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-sdk-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-sdk-8.0-source-built-artifacts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-sdk-dbg-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-targeting-pack-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "dotnet-templates-8.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.121-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": ".NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. \n\nNew versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.121 and .NET Runtime 8.0.21.Security Fix(es): \n\n * dotnet: .NET Information Disclosure Vulnerability (CVE-2025-55248)\n * dotnet: .NET Security Feature Bypass Vulnerability (CVE-2025-55315)\n * dotnet: .NET Denial of Service Vulnerability (CVE-2025-55247)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:18149",
"modified": "2025-10-20T12:28:15Z",
"published": "2025-10-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:18149"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55247"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55248"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-55315"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403083"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403085"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2403086"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2025-18149.html"
}
],
"related": [
"CVE-2025-55248",
"CVE-2025-55315",
"CVE-2025-55247"
],
"summary": "Important: .NET 8.0 security update"
}
CVE-2025-55247
Vulnerability from fstec - Published: 14.10.2025
VLAI Severity ?
Title
Уязвимость программной платформы .NET, связанная с некорректным определением символических ссылок в ходе осуществления доступа к файлу, позволяющая нарушителю повысить свои привилегии
Description
Уязвимость программной платформы .NET связана с некорректным определением символических ссылок в ходе осуществления доступа к файлу. Эксплуатация уязвимости может позволить нарушителю повысить свои привилегии
Severity ?
Vendor
ООО «Ред Софт», Microsoft Corp
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), .NET
Software Version
7.3 (РЕД ОС), от 9.0 до 9.0.10 (.NET), от 8.0 до 8.0.21 (.NET), 8.0.417 (.NET)
Possible Mitigations
Использование рекомендаций производителя:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247
Для РЕД ОС:
https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-dotnet-sdk-8-0-cve-2025-55247-cve-2025-55248-cve-2025-55315/?sphrase_id=1338954
Reference
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247
https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-dotnet-sdk-8-0-cve-2025-55247-cve-2025-55248-cve-2025-55315/?sphrase_id=1338954
CWE
CWE-59
{
"CVSS 2.0": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"CVSS 3.0": "AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "TO2323, TO2324, TO2325",
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": "TO2323 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 .NET 8.0 (\u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 ASP.NET Core Runtime 8.0.21) (KB5068331), TO2324 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 .NET 8.0 (\u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 ASP.NET Core Runtime 8.0.21) (KB5068331), TO2325 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 .NET 9.0 (\u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 ASP.NET Core Runtime 9.0.10) (KB5068332)",
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Microsoft Corp",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 9.0 \u0434\u043e 9.0.10 (.NET), \u043e\u0442 8.0 \u0434\u043e 8.0.21 (.NET), 8.0.417 (.NET)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247\n\n\u0414\u043b\u044f \u0420\u0415\u0414 \u041e\u0421:\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-dotnet-sdk-8-0-cve-2025-55247-cve-2025-55248-cve-2025-55315/?sphrase_id=1338954",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "14.10.2025",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "10.02.2026",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "23.10.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-13256",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-55247",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), .NET",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b .NET, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u043c \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u0441\u0438\u043c\u0432\u043e\u043b\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0441\u0441\u044b\u043b\u043e\u043a \u0432 \u0445\u043e\u0434\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0444\u0430\u0439\u043b\u0443, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u0441\u0441\u044b\u043b\u043a\u0438 \u043f\u0435\u0440\u0435\u0434 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c \u043a \u0444\u0430\u0439\u043b\u0443 (CWE-59)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b .NET \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u043c \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u0441\u0438\u043c\u0432\u043e\u043b\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0441\u0441\u044b\u043b\u043e\u043a \u0432 \u0445\u043e\u0434\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0444\u0430\u0439\u043b\u0443. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-dotnet-sdk-8-0-cve-2025-55247-cve-2025-55248-cve-2025-55315/?sphrase_id=1338954",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-59",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,3)"
}
bit-dotnet-2025-55247
Vulnerability from bitnami_vulndb
Published
2025-10-24 14:39
Modified
2025-10-24 15:07
Summary
.NET Elevation of Privilege Vulnerability
Details
Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "dotnet",
"purl": "pkg:bitnami/dotnet"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.21"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.10"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2025-55247"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in .NET allows an authorized attacker to elevate privileges locally.",
"id": "BIT-dotnet-2025-55247",
"modified": "2025-10-24T15:07:36.996Z",
"published": "2025-10-24T14:39:42.027Z",
"references": [
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55247"
}
],
"schema_version": "1.6.2",
"summary": ".NET Elevation of Privilege Vulnerability"
}
GHSA-W3Q9-FXM7-J8FQ
Vulnerability from github – Published: 2025-10-15 17:28 – Updated: 2025-10-27 20:17
VLAI?
Summary
Microsoft Security Advisory CVE-2025-55247 | .NET Denial of Service Vulnerability
Details
Microsoft Security Advisory CVE-2025-55247 | .NET Denial of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0.xxx, .NET 9.0.xxx and .NET 10.0.xxx. This advisory also provides guidance on what developers can do to update their environments to remove this vulnerability.
A vulnerability exists in .NET where predictable paths for MSBuild's temporary directories on Linux let another user create the directories ahead of MSBuild, leading to DoS of builds. This only affects .NET on Linux operating systems.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/370
Mitigation factors
Projects which do not utilize the DownloadFile build task are not susceptible to this vulnerability.
Affected software
- Any installation of .NET 10.0.100-rc.1.25451.107 SDK or earlier.
- Any installation of .NET 9.0.110 SDK, .NET 9.0.305 SDK or earlier.
- Any installation of .NET 8.0.120 SDK, .NET 8.0.317 SDK, .NET 8.0.414 SDK or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.Build.Tasks.Core | 17.15.0-preview-25277-114 >=17.14.0, <= 17.14.8 >= 17.12.0, <= 17.12.36 >= 17.11.0, <= 17.11.31 >= 17.10.0, <= 17.10.29 >= 17.8.0, <= 17.8.29 |
18.0.0-preview-25476-107 17.14.28 17.12.50 17.11.48 17.10.46 17.8.43 |
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.Build | 17.15.0-preview-25277-114 >=17.14.0, <= 17.14.8 >= 17.12.0, <= 17.12.36 >= 17.11.0, <= 17.11.31 >= 17.10.0, <= 17.10.29 >= 17.8.0, <= 17.8.29 |
18.0.0-preview-25476-107 17.14.28 17.12.50 17.11.48 17.10.46 17.8.43 |
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.Build.Utilities.core | 17.15.0-preview-25277-114 >=17.14.0, <= 17.14.8 >= 17.12.0, <= 17.12.36 >= 17.11.0, <= 17.11.31 >= 17.10.0, <= 17.10.29 >= 17.8.0, <= 17.8.29 |
18.0.0-preview-25476-107 17.14.28 17.12.50 17.11.48 17.10.46 17.8.43 |
Advisory FAQ
How do I know if I am affected?
If you have a .NET SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 10.0 SDK, .NET 9.0 SDK or .NET 8.0 SDK. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
-
If your application references the vulnerable package, update the package reference to the patched version.
-
You can list the versions you have installed by running the
dotnet --infocommand. You will see output like the following;
.NET SDK:
Version: 9.0.100
Commit: 59db016f11
Workload version: 9.0.100-manifests.3068a692
MSBuild version: 17.12.7+5b8665660
Runtime Environment:
OS Name: Mac OS X
OS Version: 15.2
OS Platform: Darwin
RID: osx-arm64
Base Path: /usr/local/share/dotnet/sdk/9.0.100/
.NET workloads installed:
There are no installed workloads to display.
Configured to use loose manifests when installing new manifests.
Host:
Version: 9.0.0
Architecture: arm64
Commit: 9d5a6a9aa4
.NET SDKs installed:
9.0.100 [/usr/local/share/dotnet/sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Other architectures found:
x64 [/usr/local/share/dotnet]
registered at [/etc/dotnet/install_location_x64]
Environment variables:
Not set
global.json file:
Not found
Learn more:
https://aka.ms/dotnet/info
Download .NET:
https://aka.ms/dotnet/download
-
If you're using .NET 10.0, you should download and install the appropriate SDK:
.NET 10.0.100-rc.2.25502.107for Visual Studio 2026 v18 Preview 3. Download from https://dotnet.microsoft.com/download/dotnet-core/10.0. -
If you're using .NET 9.0, you should download and install the appropriate SDK:
.NET 9.0.306for Visual Studio 2022 v17.14 or.NET 9.0.111for v17.12. Download from https://dotnet.microsoft.com/download/dotnet-core/9.0. -
If you're using .NET 8.0, you should download and install the appropriate SDK:
.NET 8.0.415for Visual Studio 2022 v17.11,.NET 8.0.318for v17.10, or.NET 8.0.121for v17.8. Download from https://dotnet.microsoft.com/download/dotnet-core/8.0.
Once you have installed the updated SDK, restart your apps for the update to take effect.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 8.0, .NET 9.0 or .NET 10.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Revisions
V1.0 (October 14, 2025): Advisory published.
Severity ?
7.3 (High)
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Tasks.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.15.0-preview-25277-114"
},
{
"fixed": "18.0.0-preview-25476-107"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"17.15.0-preview-25277-114"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.14.8"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Tasks.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.14.0"
},
{
"fixed": "17.14.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.12.36"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Tasks.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.12.0"
},
{
"fixed": "17.12.50"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.11.31"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Tasks.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.11.0"
},
{
"fixed": "17.11.48"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.10.29"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Tasks.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.10.0"
},
{
"fixed": "17.10.46"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.8.29"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Tasks.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.8.0"
},
{
"fixed": "17.8.43"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build"
},
"ranges": [
{
"events": [
{
"introduced": "17.15.0-preview-25277-114"
},
{
"fixed": "18.0.0-preview-25476-107"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"17.15.0-preview-25277-114"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.14.8"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build"
},
"ranges": [
{
"events": [
{
"introduced": "17.14.0"
},
{
"fixed": "17.14.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.12.36"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build"
},
"ranges": [
{
"events": [
{
"introduced": "17.12.0"
},
{
"fixed": "17.12.50"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.11.31"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build"
},
"ranges": [
{
"events": [
{
"introduced": "17.11.0"
},
{
"fixed": "17.11.48"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.10.29"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build"
},
"ranges": [
{
"events": [
{
"introduced": "17.10.0"
},
{
"fixed": "17.10.46"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.8.29"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build"
},
"ranges": [
{
"events": [
{
"introduced": "17.8.0"
},
{
"fixed": "17.8.43"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Utilities.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.15.0-preview-25277-114"
},
{
"fixed": "18.0.0-preview-25476-107"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"17.15.0-preview-25277-114"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.14.8"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Utilities.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.14.0"
},
{
"fixed": "17.14.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.12.36"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Utilities.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.12.0"
},
{
"fixed": "17.12.50"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.11.31"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Utilities.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.11.0"
},
{
"fixed": "17.11.48"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.10.29"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Utilities.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.10.0"
},
{
"fixed": "17.10.46"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.8.29"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Utilities.Core"
},
"ranges": [
{
"events": [
{
"introduced": "17.8.0"
},
{
"fixed": "17.8.43"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55247"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T17:28:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Microsoft Security Advisory CVE-2025-55247 | .NET Denial of Service Vulnerability\n\n## \u003ca name=\"executive-summary\"\u003e\u003c/a\u003eExecutive summary\n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0.xxx, .NET 9.0.xxx and .NET 10.0.xxx. This advisory also provides guidance on what developers can do to update their environments to remove this vulnerability.\n\nA vulnerability exists in .NET where predictable paths for MSBuild\u0027s temporary directories on Linux let another user create the directories ahead of MSBuild, leading to DoS of builds. This only affects .NET on Linux operating systems.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/370\n\n### \u003ca name=\"mitigation-factors\"\u003e\u003c/a\u003eMitigation factors\n\nProjects which do not utilize the [DownloadFile](https://learn.microsoft.com/visualstudio/msbuild/downloadfile-task) build task are not susceptible to this vulnerability.\n\n## \u003ca name=\"affected-software\"\u003e\u003c/a\u003eAffected software\n\n* Any installation of .NET 10.0.100-rc.1.25451.107 SDK or earlier.\n* Any installation of .NET 9.0.110 SDK, .NET 9.0.305 SDK or earlier.\n* Any installation of .NET 8.0.120 SDK, .NET 8.0.317 SDK, .NET 8.0.414 SDK or earlier.\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\n\nThe vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below\n\nPackage name |Affected version | Patched version\n------------ |---------------- | -------------------------\n[Microsoft.Build.Tasks.Core](https://www.nuget.org/packages/Microsoft.Build.Tasks.Core) | 17.15.0-preview-25277-114 \u003cbr /\u003e\u003e=17.14.0, \u003c= 17.14.8 \u003cbr /\u003e\u003e= 17.12.0, \u003c= 17.12.36 \u003cbr/\u003e \u003e= 17.11.0, \u003c= 17.11.31\u003cbr /\u003e \u003e= 17.10.0, \u003c= 17.10.29 \u003cbr /\u003e \u003e= 17.8.0, \u003c= 17.8.29 \u003cbr /\u003e | 18.0.0-preview-25476-107 \u003cbr /\u003e17.14.28 \u003cbr /\u003e17.12.50 \u003cbr/\u003e17.11.48 \u003cbr /\u003e17.10.46 \u003cbr /\u003e17.8.43 \u003cbr /\u003e\n\n\nPackage name|Affected version | Patched version\n------------ |---------------|----------------\n[Microsoft.Build](https://www.nuget.org/packages/Microsoft.Build) | 17.15.0-preview-25277-114 \u003cbr /\u003e\u003e=17.14.0, \u003c= 17.14.8 \u003cbr /\u003e\u003e= 17.12.0, \u003c= 17.12.36 \u003cbr/\u003e \u003e= 17.11.0, \u003c= 17.11.31\u003cbr /\u003e \u003e= 17.10.0, \u003c= 17.10.29 \u003cbr /\u003e \u003e= 17.8.0, \u003c= 17.8.29 \u003cbr /\u003e | 18.0.0-preview-25476-107 \u003cbr /\u003e17.14.28 \u003cbr /\u003e17.12.50 \u003cbr/\u003e17.11.48 \u003cbr /\u003e17.10.46 \u003cbr /\u003e17.8.43 \u003cbr /\u003e\n\nPackage name |Affected version | Patched version\n------------ |---------------|----------------\n[Microsoft.Build.Utilities.core](https://www.nuget.org/packages/Microsoft.Build.Utilities.Core/17.15.0-preview-25277-114)| 17.15.0-preview-25277-114 \u003cbr /\u003e\u003e=17.14.0, \u003c= 17.14.8 \u003cbr /\u003e\u003e= 17.12.0, \u003c= 17.12.36 \u003cbr/\u003e \u003e= 17.11.0, \u003c= 17.11.31\u003cbr /\u003e \u003e= 17.10.0, \u003c= 17.10.29 \u003cbr /\u003e \u003e= 17.8.0, \u003c= 17.8.29 \u003cbr /\u003e | 18.0.0-preview-25476-107 \u003cbr /\u003e17.14.28 \u003cbr /\u003e17.12.50 \u003cbr/\u003e17.11.48 \u003cbr /\u003e17.10.46 \u003cbr /\u003e17.8.43 \u003cbr /\u003e\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n\nIf you have a .NET SDK with a version listed, or an affected package listed in [affected software](#affected-packages) or [affected packages](#affected-software), you\u0027re exposed to the vulnerability.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\n1. To fix the issue please install the latest version of .NET 10.0 SDK, .NET 9.0 SDK or .NET 8.0 SDK. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.\n2. If your application references the vulnerable package, update the package reference to the patched version.\n\n* You can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;\n\n```\n.NET SDK:\n Version: 9.0.100\n Commit: 59db016f11\n Workload version: 9.0.100-manifests.3068a692\n MSBuild version: 17.12.7+5b8665660\n\nRuntime Environment:\n OS Name: Mac OS X\n OS Version: 15.2\n OS Platform: Darwin\n RID: osx-arm64\n Base Path: /usr/local/share/dotnet/sdk/9.0.100/\n\n.NET workloads installed:\nThere are no installed workloads to display.\nConfigured to use loose manifests when installing new manifests.\n\nHost:\n Version: 9.0.0\n Architecture: arm64\n Commit: 9d5a6a9aa4\n\n.NET SDKs installed:\n 9.0.100 [/usr/local/share/dotnet/sdk]\n\n.NET runtimes installed:\n Microsoft.AspNetCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]\n Microsoft.NETCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]\n\nOther architectures found:\n x64 [/usr/local/share/dotnet]\n registered at [/etc/dotnet/install_location_x64]\n\nEnvironment variables:\n Not set\n\nglobal.json file:\n Not found\n\nLearn more:\n https://aka.ms/dotnet/info\n\nDownload .NET:\n https://aka.ms/dotnet/download\n```\n\n* If you\u0027re using .NET 10.0, you should download and install the appropriate SDK: `.NET 10.0.100-rc.2.25502.107` for Visual Studio 2026 v18 Preview 3. Download from https://dotnet.microsoft.com/download/dotnet-core/10.0.\n\n* If you\u0027re using .NET 9.0, you should download and install the appropriate SDK: `.NET 9.0.306` for Visual Studio 2022 v17.14 or `.NET 9.0.111` for v17.12. Download from https://dotnet.microsoft.com/download/dotnet-core/9.0.\n\n* If you\u0027re using .NET 8.0, you should download and install the appropriate SDK: `.NET 8.0.415` for Visual Studio 2022 v17.11, `.NET 8.0.318` for v17.10, or `.NET 8.0.121` for v17.8. Download from https://dotnet.microsoft.com/download/dotnet-core/8.0.\n\nOnce you have installed the updated SDK, restart your apps for the update to take effect.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in .NET 8.0, .NET 9.0 or .NET 10.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core \u0026 .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at \u003chttps://aka.ms/corebounty\u003e.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2025-55247]( https://www.cve.org/CVERecord?id=CVE-2025-55247)\n\n### Revisions\n\nV1.0 (October 14, 2025): Advisory published.",
"id": "GHSA-w3q9-fxm7-j8fq",
"modified": "2025-10-27T20:17:30Z",
"published": "2025-10-15T17:28:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dotnet/msbuild/security/advisories/GHSA-w3q9-fxm7-j8fq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55247"
},
{
"type": "PACKAGE",
"url": "https://github.com/dotnet/msbuild"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55247"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Microsoft Security Advisory CVE-2025-55247 | .NET Denial of Service Vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…