Skip to content

Transitive Dependency Vulnerability: System.Net.Security 4.3.0 (High Severity GHSA IDs) blocks .NET builds #139

New issue
New issue
Open
Open
Transitive Dependency Vulnerability: System.Net.Security 4.3.0 (High Severity GHSA IDs) blocks .NET builds#139
Assignees
shivvaam0001
Labels
priority: p3Desirable enhancement or fix. May not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@joslat

Description

@joslat
joslat
opened on Dec 4, 2025

Issue Description

Why reported here: This transitive dependency issue in Google.GenAI v0.6.0 was discovered while building Microsoft's official agent-framework repository, causing build failures due to TreatWarningsAsErrors=true.

See: https://github.com/microsoft/agent-framework/issues/2628​

Issue Type: 🔴 Security Vulnerability - High Severity (via NuGet audit)
Affected Package: Google.GenAI 0.6.0 (transitive dep: System.Net.Security 4.3.0)

Vulnerabilities:

GHSA-6xh7-4v2w-36q6 (High)
GHSA-qhqf-ghgh-x2m4 (High)
GHSA-ch6p-4jcm-h8vh (Moderate)
GHSA-j8f4-2w4p-mhjc (Moderate)​

Error during dotnet restore:
error NU1903: Package 'System.Net.Security' 4.3.0 has a known high severity vulnerability

Reproduction:

Clone https://github.com/microsoft/agent-framework
cd dotnet
dotnet restore (when targeting net8.0 and net9.0 frameworks)

Build fails on samples/GettingStarted/AgentProviders/Agent_With_GoogleGemini​
Impact: Blocks builds in security-conscious environments (.NET 10.0, central package management)

Request:

Please update dependencies to System.Net.Security >=4.3.2 or provide workaround pinning.

Metadata

Metadata

Assignees

Labels

priority: p3Desirable enhancement or fix. May not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions