CVE-2021-46703: Code Injection

March 6, 2022 (updated November 7, 2023)

In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents).

References

github.com/Antaris/RazorEngine/issues/585
nvd.nist.gov/vuln/detail/CVE-2021-46703

Detect and mitigate CVE-2021-46703 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →