GHSA-gpv5-rp6w-58r8: 
C# vulnerability analysis and mitigation

A remote code execution vulnerability was identified in the Akka.NET package, tracked as GHSA-gpv5-rp6w-58r8. The vulnerability stems from a dependency on an outdated version of System.Configuration.ConfigurationManager (v4.7.0), which transitively depends on System.Common.Drawing v4.7.0. The issue affects Akka.NET versions below 1.4.46 and versions between 1.5.0-alpha1 and 1.5.0-alpha3. This vulnerability was published on November 15, 2022, and last updated on January 31, 2023 (GitHub Advisory).

The vulnerability is classified as having Moderate severity and is related to a remote code execution vulnerability in the System.Common.Drawing dependency (GHSA-ghhp-997w-qr28). The issue specifically involves the transitive dependency chain where the core Akka module depends on System.Configuration.ConfigurationManager v4.7.0, which in turn depends on the vulnerable System.Common.Drawing v4.7.0 (GitHub Advisory).

While the vulnerability enables remote code execution, the real-world impact has been assessed as low according to the advisory. However, users are still advised to upgrade to later versions of Akka.NET to ensure system security (GitHub Advisory).

The vulnerability has been patched in Akka.NET versions 1.4.46 and 1.5.0-alpha3. As a workaround, users can explicitly reference System.Configuration.ConfigurationManager's NuGet package and upgrade to version 6.0.1 or later without upgrading Akka.NET, though upgrading Akka.NET itself is recommended as the best solution (GitHub Advisory).