CVE-2025-26646: Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability
(updated )
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0.xxx and .NET 8.0.xxx SDK. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in .NET SDK or MSBuild applications where external control of file name or path allows an unauthorized attacked to perform spoofing over a network.
References
- github.com/advisories/GHSA-h4j7-5rxr-p4wc
- github.com/dotnet/announcements/issues/356
- github.com/dotnet/msbuild
- github.com/dotnet/msbuild/issues/11846
- github.com/dotnet/msbuild/security/advisories/GHSA-h4j7-5rxr-p4wc
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646
- nvd.nist.gov/vuln/detail/CVE-2025-26646
Code Behaviors & Features
Detect and mitigate CVE-2025-26646 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →