Overview
.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform SDK made up of tools, programming languages, and libraries for building many different types of applications.
A vulnerability (CVE-2025-21173) exists in the .NET SDK as a result of insecure temp file usage on Linux that allows local system privilege escalation by attackers.
Per CWE-379: Creation of Temporary File in Directory with Insecure Permissions, is when a product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
This issue affects Linux installations of .NET.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Details
Module Info
- Product:
- Any .NET 6.0 application running on Linux installations of .NET 6.0.36 or earlier.
- Any .NET 8.0 application running on Linux installations of .NET 8.0.11 or earlier.
- Any .NET 9.0 application running on Linux installations of .NET 9.0.0 or earlier.
- Affected packages:
- Microsoft.NetCore.App.Runtime.linux-arm
- Microsoft.NetCore.App.Runtime.linux-arm64
- Microsoft.NetCore.App.Runtime.linux-musl-arm
- Microsoft.NetCore.App.Runtime.linux-musl-arm64
- Microsoft.NetCore.App.Runtime.linux-musl-x64
- Microsoft.NetCore.App.Runtime.linux-x64
- Affected versions:
- >= 6.0.0 <= 6.0.36
- >= 8.0.0 <= 8.0.11
- <= 9.0.0
- GitHub repository: https://github.com/dotnet/sdk
- Published packages: Download .NET (Linux, macOS, and Windows)
- Package manager:
- Nuget
- Windows Installer
- Docker
- Fixed in: .NET - Never-Ending Support (NES) | HeroDevs v6.1.0
Vulnerability Info
This High-severity vulnerability is found in the .NET SDK. This only affects .NET on Linux operating systems. An attacker could exploit this vulnerability to writing a specially crafted file in the security context of the local system.
Credits
- Daniel Plaisted with Microsoft
- Noah Gilson with Microsoft
Mitigation
.NET 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to one of:
- .NET >= 8.0.12
- .NET >= 9.0.1
- Leverage a commercial support partner like HeroDevs for post-EOL security support.