Listen to this Post
The NuGet client previously relied only on package signature validation to ensure integrity. However, an attacker could craft a malicious package where the package ID and version in the .nuspec metadata did not match the actual package file name or the expected values during download. Because the client did not validate the ID and version fields before processing the package, an attacker could cause a mismatch between the package’s declared identity and its content. This mismatch could be exploited to bypass signature checks, because the signature might be tied to one identity while the package is treated as another. The vulnerability allows an adversary to substitute a different package (or a modified version) while still passing basic signature validation. The attack requires the ability to place a crafted package on a feed that the client consumes. When the client restores or downloads packages, it would accept the tampered package, potentially leading to execution of unintended code or compromise of the development environment. The flaw is considered low severity because it requires a man‑in‑the‑middle position or control over a package feed, and the existing signature validation still provides some protection. The fix adds explicit validation of the package ID and version fields during download, ensuring they match the expected values before any further processing.
DailyCVE Form
Platform: NuGet client
Version: 4.9.0–7.3.0
Vulnerability: ID/version validation bypass
Severity: Low
date: 2026‑04‑14
Prediction: Patched already
What Undercode Say
Check NuGet client version nuget help | head -n 1 List installed NuGet packages and their versions dotnet list package --vulnerable Simulate a package restore with verbose logging to detect mismatches nuget restore MySolution.sln -Verbosity detailed
Exploit
An attacker publishes a package to a feed where the `.nuspec` file contains a different package ID or version than the actual package file name. When a vulnerable NuGet client downloads the package, it fails to validate the ID and version before processing. The client treats the package as the spoofed identity, bypassing signature checks and allowing substitution of arbitrary code.
Protection from this CVE
- Update NuGet client to any patched version: 4.9.7, 5.11.7, 6.8.2, 6.11.2, 6.12.5, 6.14.3, 7.0.3, or 7.3.1.
- For .NET SDK users, update to the latest SDK version that includes the fixed NuGet client.
- Use only trusted package feeds and enforce HTTPS to reduce man‑in‑the‑middle risk.
- Enable package signature validation and verify signatures before restoring packages.
Impact
Successful exploitation allows an attacker to replace a legitimate package with a malicious one while bypassing signature validation. This can lead to arbitrary code execution in the context of the developer’s machine or build pipeline, potentially compromising the entire development environment or introducing backdoors into the final application. The impact is limited to scenarios where the attacker can control the package feed or intercept network traffic.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
