GHSA-6q65-j4jw-9cg8 – dotvvm

Package

Manager: nuget
Name: dotvvm
Vulnerable Version: >=4.3.0-preview01-final <4.3.8 || >=5.0.0-preview01-final <5.0.0-preview03-final || >=0 <4.2.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

DotVVM allows path traversal when deployed in Debug mode ### Description There is a path traversal vulnerability in any DotVVM application started in Debug mode, if at least one resource with the `FileResourceLocation` has been added. The vulnerability allows an attacker to read arbitrary files from the filesystem accessible by the web application (i.e. appsettings.json or other files containing secrets). ### Patches The bug is patched in versions **4.2.10**, **4.3.8** and **5.0.0-preview03-final** (and newer). Apart from updating DotVVM, it is also recommend invalidating any secrets which could have been leaked by an application deployed in Debug mode (such as database passwords). ### Workarounds If you cannot update to a patched version, avoid running a publicly accessible DotVVM application in Debug mode (Development environment in Asp.Net Core). It is recommend adding the following statement to the DotvvmStartup class: ``` config.Debug = false; // TODO: workaround for GHSA-6q65-j4jw-9cg8, remove after updating DotVVM ```

Metadata

Created: 2025-06-19T14:40:30Z
Modified: 2025-06-19T14:40:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-6q65-j4jw-9cg8/GHSA-6q65-j4jw-9cg8.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1