Vulnerability DatabaseGHSA-6r78-m64m-qwcf

GHSA-6r78-m64m-qwcf:
C# vulnerability analysis and mitigation

Overview

Moq versions 4.20.0-rc through 4.20.1 included a feature called SponsorLink that collected user data without consent. The vulnerability was discovered in August 2023 when it was found that the library was running an obfuscated DLL at build time that scanned local git config data and shared users' hashed email addresses with SponsorLink's remote servers, with no option to disable this functionality (GitHub Advisory).

Technical details

The vulnerability involved SponsorLink functionality that would execute during build time to collect git configuration data. Specifically, it would run 'git config --get user.email' to obtain the user's email address, hash it using SHA256, and transmit this data to Azure Blob storage. The implementation included checks for network availability and git configuration, but provided no opt-out mechanism (SponsorLink Blog).

Impact

The vulnerability raised significant privacy and security concerns, particularly regarding GDPR compliance, as it collected and transmitted personal information without user consent. The issue affected build processes and potentially exposed user email data, even in hashed form, to third-party servers. Additionally, it caused build performance impacts and could break builds in environments with restricted network access (GitHub Issues).

Mitigation and workarounds

The issue was resolved in Moq version 4.20.2, which completely removed the SponsorLink functionality. Users should upgrade to version 4.20.2 or later to ensure the data collection is no longer present. For those unable to upgrade immediately, the only workaround was to continue using versions prior to 4.20.0-rc (GitHub PR).

Community reactions

The community reaction was overwhelmingly negative, with many developers expressing concerns about privacy violations and trust breach. The incident led to numerous organizations considering or implementing replacements for Moq in their projects. The controversy sparked broader discussions about open-source sustainability and appropriate methods for supporting open-source projects (GitHub Issues).

Additional resources

Source: This report was generated using AI

Related C# vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-67288	CRITICAL	10	C#	Umbraco.Cms	No	No	Dec 22, 2025
CVE-2025-68618	HIGH	7.5	C#	ImageMagick	No	Yes	Dec 30, 2025
CVE-2025-68950	MEDIUM	6.2	C#	ImageMagick-devel-32bit	No	Yes	Dec 30, 2025
CVE-2025-67291	MEDIUM	6.1	C#	Piranha	No	No	Dec 22, 2025
CVE-2025-67290	MEDIUM	6.1	C#	Piranha	No	No	Dec 22, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-6r78-m64m-qwcf: C# vulnerability analysis and mitigation