Fluid Attacks Database

Description

A remote code execution vulnerability in .NET 8.0 and 9.0. An attacker who can place malicious files in specific locations may trigger unintended code execution when the .NET runtime loads these files.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	microsoft.netcore.app.runtime.linux-musl-arm64	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.win-arm64	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.win-x64	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.win-x86	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.linux-musl-arm	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.linux-arm	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.linux-musl-x64	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.osx-x64	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.linux-arm64	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17
nuget	microsoft.netcore.app.runtime.linux-x64	>=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.17	9.0.6, 8.0.17

1-10 of 21

Aliases

1. CVE-2025-303992. NVD-2025-303993. OSV-2025-303994. GHSA-266m-wp2v-x7mq5. GCVE-2025-30399

References

1. https://github.com/dotnet/runtime/security/advisories/GHSA-266m-wp2v-x7mq2. https://github.com/dotnet/runtime/issues/1164953. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-303994. https://www.cve.org/CVERecord?id=CVE-2025-30399