microsoft.visualstudio.web.codegeneration.design.9.0.0.nupkg: 1 vulnerabilities (highest severity is: 7.3) reachable #116
Description
Vulnerable Library - microsoft.visualstudio.web.codegeneration.design.9.0.0.nupkg
Path to dependency file: /DotNetWebhookCodeSnippets/DotnetWebhookCodeSnippets.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.build/17.10.4/microsoft.build.17.10.4.nupkg
Found in HEAD commit: 3edaf92a0a3aa3d7441e08d996d889594d4650f6
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (microsoft.visualstudio.web.codegeneration.design.9.0.0.nupkg version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-55247 |  High |
7.3 | Unproven | 0.0% | microsoft.build.17.10.4.nupkg | Transitive | N/A* | ❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-55247
Vulnerable Library - microsoft.build.17.10.4.nupkg
This package contains the Microsoft.Build assembly which is used to create, edit, and evaluate MSBuild projects.
Library home page: https://api.nuget.org/packages/microsoft.build.17.10.4.nupkg
Path to dependency file: /DotNetWebhookCodeSnippets/DotnetWebhookCodeSnippets.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.build/17.10.4/microsoft.build.17.10.4.nupkg
Dependency Hierarchy:
- microsoft.visualstudio.web.codegeneration.design.9.0.0.nupkg (Root Library)
- microsoft.visualstudio.web.codegenerators.mvc.9.0.0.nupkg
- microsoft.visualstudio.web.codegeneration.9.0.0.nupkg
- ❌ microsoft.build.17.10.4.nupkg (Vulnerable Library)
- microsoft.visualstudio.web.codegeneration.9.0.0.nupkg
- microsoft.visualstudio.web.codegenerators.mvc.9.0.0.nupkg
Found in HEAD commit: 3edaf92a0a3aa3d7441e08d996d889594d4650f6
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
DotnetCliCodeSnippets.Messages.WhatsApp.SendWhatsAppMtm (Application)
-> Vonage.Request.Credentials (Extension)
-> Vonage.Common.Failures.AuthenticationFailure (Extension)
-> System.Runtime.CompilerServices.IsReadOnlyAttribute (Extension)
-> ❌ Microsoft.CodeAnalysis.EmbeddedAttribute (Vulnerable Component)
Vulnerability Details
Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.
Publish Date: 2025-10-14
URL: CVE-2025-55247
Threat Assessment
Exploit Maturity: Unproven
EPSS: 0.0%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w3q9-fxm7-j8fq
Release Date: 2025-10-14
Fix Resolution: Microsoft.Build.Tasks.Core - 18.0.0-preview-25476-107,Microsoft.Build - 17.14.28,Microsoft.Build - 17.10.46,Microsoft.Build.Tasks.Core - 17.10.46,Microsoft.Build.Tasks.Core - 17.14.28,Microsoft.Build.Tasks.Core - 17.11.48,Microsoft.Build - 17.11.48,Microsoft.Build - 17.8.43,Microsoft.Build.Tasks.Core - 17.8.43,Microsoft.Build.Tasks.Core - 17.12.50,Microsoft.Build.Utilities.Core - 17.11.48,Microsoft.Build.Utilities.Core - 17.8.43