Microsoft Security Advisory CVE-2025-55247 | .NET Denial of Service Vulnerability

<a name="executive-summary"></a>Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0.xxx, .NET 9.0.xxx and .NET 10.0.xxx. This advisory also provides guidance on what developers can do to update their environments to remove this vulnerability.

A vulnerability exists in .NET where predictable paths for MSBuild's temporary directories on Linux let another user create the directories ahead of MSBuild, leading to DoS of builds. This only affects .NET on Linux operating systems.

Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/370

<a name="mitigation-factors"></a>Mitigation factors

Projects which do not utilize the DownloadFile build task are not susceptible to this vulnerability.

<a name="affected-software"></a>Affected software

• Any installation of .NET 10.0.100-rc.1.25451.107 SDK or earlier.
• Any installation of .NET 9.0.110 SDK, .NET 9.0.305 SDK or earlier.
• Any installation of .NET 8.0.120 SDK, .NET 8.0.317 SDK, .NET 8.0.414 SDK or earlier.

<a name="affected-packages"></a>Affected Packages

The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below

Package name |Affected version | Patched version ------------ |---------------- | ------------------------- Microsoft.Build.Tasks.Core | 17.15.0-preview-25277-114 <br />>=17.14.0, <= 17.14.8 <br />>= 17.12.0, <= 17.12.36 <br/> >= 17.11.0, <= 17.11.31<br /> >= 17.10.0, <= 17.10.29 <br /> >= 17.8.0, <= 17.8.29 <br /> | 18.0.0-preview-25476-107 <br />17.14.28 <br />17.12.50 <br/>17.11.48 <br />17.10.46 <br />17.8.43 <br />

Package name|Affected version | Patched version ------------...