Defense in Depth update for NuGet Client
This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.
Advisories for Nuget/NuGet.Protocol package
2026
2023
NuGet Client Remote Code Execution Vulnerability
NuGet Client Remote Code Execution Vulnerability
2022
NuGet Elevation of Privilege Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0.0-rc, .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 7.0.0-rc.1, .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol) where a malicious actor could cause a user …