The referenced MessagePack has a known vulnerability

[davesmits]

In

aspnetcore/eng/Versions.props

Line 297 in 4b8269f

<MessagePackVersion>2.5.108</MessagePackVersion>

the reference to MessagePack is a version (2.5.108) with a known vulnerability https://osv.dev/vulnerability/GHSA-4qm4-8hg2-g2xm

I noticed the .NET 9RC2 still links this package with vulnerability. Is the reference going to be updated to version where this is fixed? (>=
2.5.187)?

[wtgodbe]

Thanks for the report - we'll get this fixed for 9.0 RTM

[wtgodbe]

#58556 ports the fix to 9.0

[AnthonyMastrean]

Any chance of patching the 8.0 release (is that LTS along with .NET)?

[wtgodbe]

Sure - #58676. That will miss the November patch but will go out in the next one