VULNERABILITY: CVE-2024-30105 - System.Text.Json (>=7.0.0 <=8.0.3)

[fmarkyy98]

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30105

[leastprivilege]

What are you trying to say?

[josephdecock]

We've shared some thoughts on our approach to applying security patches before that you might find interesting:

• https://blog.duendesoftware.com/posts/20210213_security_patching/
• Updated System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to latest to address CVEs Duende.AccessTokenManagement#53 (comment)

The bottom line is that when there is a vulnerability in the dependency graph, we do generally update our dependency to address it. But, we can't just completely automate it away because we've historically seen lots of breaking changes and diamond dependency problems. Our approach to dependencies in general follows some sometimes conflicting goals:

• be as relaxed as possible to try to make our libraries as easily compatible as possible
• avoid dependencies that have known vulnerabilities

So yes, we will likely update our dependency on System.Text.Json in a future release. For now, you should consider installing System.Text.Json 8.0.4 manually.

[fmarkyy98]

@josephdecock thank you for this detailed explanation, I really appreciate it. Closing the issue, based on the answer you gave.