GHSA-6q65-j4jw-9cg8: 
C# vulnerability analysis and mitigation

A path traversal vulnerability (GHSA-6q65-j4jw-9cg8) was discovered in DotVVM applications when running in Debug mode with at least one resource using FileResourceLocation. The vulnerability affects multiple versions including <=4.3.7, 5.0.0-preview01-final, and 5.0.0-preview02-final, with patches available in versions 4.2.10, 4.3.8, and 5.0.0-preview03-final. The issue was published and last updated on June 19, 2025 (GitHub Advisory).

The vulnerability has been assigned a High severity rating with a CVSS score of 7.5. The CVSS metrics indicate it can be exploited over the network (Attack Vector: Network) with low complexity (Attack Complexity: Low), requires no privileges (Privileges Required: None) or user interaction (User Interaction: None). The scope is unchanged, with high impact on confidentiality but no impact on integrity or availability. The vulnerability is classified as CWE-22 (GitHub Advisory).

The vulnerability enables attackers to read arbitrary files from the filesystem that are accessible by the web application. This includes sensitive files such as appsettings.json and other files containing secrets like database passwords (GitHub Advisory).

For immediate mitigation, it is recommended to avoid running publicly accessible DotVVM applications in Debug mode (Development environment in ASP.NET Core). A temporary workaround involves adding 'config.Debug = false;' to the DotvvmStartup class. For a permanent fix, users should update to the patched versions (4.2.10, 4.3.8, or 5.0.0-preview03-final). Additionally, it is strongly recommended to invalidate any secrets that could have been potentially leaked by applications deployed in Debug mode (GitHub Advisory).