Skip to content

Defense in Depth update for NuGet Client

Low
aortiz-msft published GHSA-g4vj-cjjj-v7hg Apr 14, 2026

Package

nuget NuGet.CommandLine (NuGet)

Affected versions

>= 4.9.0, <= 4.9.6
>= 5.11.0, <= 5.11.6
>= 6.8.0, <= 6.8.1
>= 6.11.0, <= 6.11.1
>= 6.12.0, <= 6.12.4
>= 6.14.0, <= 6.14.2
>= 7.0.0, <= 7.0.2
= 7.3.0

Patched versions

4.9.7
5.11.7
6.8.2
6.11.2
6.12.5
6.14.3
7.0.3
7.3.1
nuget NuGet.Packaging (NuGet)
>= 4.9.0, <= 4.9.6
>= 5.11.0, <= 5.11.6
>= 6.8.0, <= 6.8.1
>= 6.11.0, <= 6.11.1
>= 6.12.0, <= 6.12.4
>= 6.14.0, <= 6.14.2
>= 7.0.0, <= 7.0.2
= 7.3.0
4.9.7
5.11.7
6.8.2
6.11.2
6.12.5
6.14.3
7.0.3
7.3.1
nuget NuGet.Protocol (NuGet)
>= 4.9.0, <= 4.9.6
>= 5.11.0, <= 5.11.6
>= 6.8.0, <= 6.8.1
>= 6.11.0, <= 6.11.1
>= 6.12.0, <= 6.12.4
>= 6.14.0, <= 6.14.2
>= 7.0.0, <= 7.0.2
= 7.3.0
4.9.7
5.11.7
6.8.2
6.11.2
6.12.5
6.14.3
7.0.3
7.3.1

Description

Impact

This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.

Patches

NuGet

The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched:

Affected versions Patched version
>= 4.9.0, <= 4.9.6 4.9.7
>= 5.11.0, <= 5.11.6 5.11.7
>= 6.8.0, <= 6.8.1 6.8.2
>= 6.11.0, <= 6.11.1 6.11.2
>= 6.12.0, <= 6.12.4 6.12.5
>= 6.14.0, <= 6.14.2 6.14.3
>= 7.0.0, <= 7.0.2 7.0.3
7.3.0 7.3.1

.NET SDK

  • .NET 8.0.126 SDK
  • .NET 8.0.420 SDK
  • .NET 9.0.116 SDK
  • .NET 9.0.313 SDK
  • .NET 10.0.106 SDK
  • .NET 10.0.202 SDK

Workarounds

N/A

References

GHSA-9r3h-v4hx-rhfr

Credit

splitline with DEVCORE

Severity

Low

CVE ID

No known CVE

Weaknesses

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. Learn more on MITRE.