By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-21173

Creation of Temporary File in Directory with Insecure Permissions
Affects
.NET Runtime
>= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.11 <= 9.0.0
in
.NET
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform SDK made up of tools, programming languages, and libraries for building many different types of applications. 

A vulnerability (CVE-2025-21173) exists in the .NET SDK as a result of insecure temp file usage on Linux that allows local system privilege escalation by attackers. 

Per CWE-379: Creation of Temporary File in Directory with Insecure Permissions, is when a product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

This issue affects Linux installations of .NET.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Details

Module Info

  • Product: 
  • Any .NET 6.0 application running on Linux installations of .NET 6.0.36 or earlier.
  • Any .NET 8.0 application running on Linux installations of .NET 8.0.11 or earlier.
  • Any .NET 9.0 application running on Linux installations of .NET 9.0.0 or earlier.

Vulnerability Info

This High-severity vulnerability is found in the .NET SDK. This only affects .NET on Linux operating systems. An attacker could exploit this vulnerability to writing a specially crafted file in the security context of the local system.

Credits

  • Daniel Plaisted with Microsoft
  • Noah Gilson with Microsoft

Mitigation

.NET 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to one of:
    • .NET >= 8.0.12
    • .NET >= 9.0.1
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-35264
CVE-2024-38229
CVE-2025-21172
CVE-2025-21173
CVE-2025-21176
CVE-2025-24070
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-21173
PROJECT Affected
.NET Runtime
Versions Affected
>= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.11 <= 9.0.0
Published date
April 4, 2025
≈ Fix date
April 4, 2025
Fixed in
NES for .NET
Severity
High
Category
Creation of Temporary File in Directory with Insecure Permissions
Sign up for the latest vulnerability alerts fixed in
NES for .NET
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.