GHSA-g4vj-cjjj-v7hg: Defense in Depth update for NuGet Client

April 14, 2026

This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.

References

github.com/NuGet/NuGet.Client
github.com/NuGet/NuGet.Client/security/advisories/GHSA-g4vj-cjjj-v7hg
github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr
github.com/advisories/GHSA-g4vj-cjjj-v7hg

Code Behaviors & Features

Detect and mitigate GHSA-g4vj-cjjj-v7hg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →