Skip to content

Bump Microsoft.*/System.* packages to 10.0.7 (CVE-2026-40372)#25313

Merged
EngincanV merged 4 commits intodevfrom
maliming/fix-data-protection-cve-40372
Apr 24, 2026
Merged

Bump Microsoft.*/System.* packages to 10.0.7 (CVE-2026-40372)#25313
EngincanV merged 4 commits intodevfrom
maliming/fix-data-protection-cve-40372

Conversation

@maliming
Copy link
Copy Markdown
Member

@maliming maliming commented Apr 23, 2026
edited
Loading

Fixes Microsoft Security Advisory CVE-2026-40372 — an ASP.NET Core DataProtection elevation-of-privilege issue affecting Microsoft.AspNetCore.DataProtection NuGet packages 10.0.0 - 10.0.6.

Bumps Microsoft.AspNetCore.DataProtection.StackExchangeRedis to 10.0.7 and aligns all related .NET 10 Microsoft.* / System.* packages to 10.0.7 to keep NuGet versions consistent and avoid NU1605 downgrade warnings. Also bumps Microsoft.AspNetCore.Components.WebView.Maui and Microsoft.Maui.Controls to 10.0.51.

Ref: dotnet/announcements#395

Copilot AI review requested due to automatic review settings April 23, 2026 02:52
@maliming maliming added the dependency-change Indicates a version change of a dependency (typically, upgrade) label Apr 23, 2026
@maliming maliming added this to the 10.4-preview milestone Apr 23, 2026
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates ABP templates and central package versions to .NET 10.0.7 to address CVE-2026-40372 (ASP.NET Core DataProtection EoP) and keep Microsoft/System package versions consistent.

Changes:

  • Bumped centrally-managed .NET 10 Microsoft.* / System.* package versions to 10.0.7 in Directory.Packages.props.
  • Updated multiple template .csproj files to reference 10.0.7 for the affected Microsoft packages (Hosting, EF Core Tools/Proxies, Components WASM packages, DataProtection Redis, etc.).
  • Added/updated the package version change log entry (docs).

Reviewed changes

Copilot reviewed 41 out of 41 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
templates/wpf/src/MyCompanyName.MyProjectName/MyCompanyName.MyProjectName.csproj Bumps Microsoft.Extensions.Hosting to 10.0.7 in WPF template.
templates/module/aspnet-core/test/MyCompanyName.MyProjectName.HttpApi.Client.ConsoleTestApp/MyCompanyName.MyProjectName.HttpApi.Client.ConsoleTestApp.csproj Bumps Microsoft.Extensions.Hosting to 10.0.7 in module console test app template.
templates/module/aspnet-core/test/MyCompanyName.MyProjectName.EntityFrameworkCore.Tests/MyCompanyName.MyProjectName.EntityFrameworkCore.Tests.csproj Bumps Microsoft.EntityFrameworkCore.Proxies to 10.0.7 in EF Core test template.
templates/module/aspnet-core/src/MyCompanyName.MyProjectName.Web/MyCompanyName.MyProjectName.Web.csproj Bumps Microsoft.Extensions.FileProviders.Embedded to 10.0.7 in module web template.
templates/module/aspnet-core/src/MyCompanyName.MyProjectName.Domain.Shared/MyCompanyName.MyProjectName.Domain.Shared.csproj Bumps Microsoft.Extensions.FileProviders.Embedded to 10.0.7 in module domain.shared template.
templates/module/aspnet-core/host/MyCompanyName.MyProjectName.Web.Unified/MyCompanyName.MyProjectName.Web.Unified.csproj Bumps Microsoft.EntityFrameworkCore.Tools to 10.0.7 in unified host template.
templates/module/aspnet-core/host/MyCompanyName.MyProjectName.Web.Host/MyCompanyName.MyProjectName.Web.Host.csproj Bumps Microsoft.AspNetCore.DataProtection.StackExchangeRedis to 10.0.7 in module web host template.
templates/module/aspnet-core/host/MyCompanyName.MyProjectName.HttpApi.Host/MyCompanyName.MyProjectName.HttpApi.Host.csproj Bumps JwtBearer/DataProtection.Redis/EF Tools to 10.0.7 in module HTTP API host template.
templates/module/aspnet-core/host/MyCompanyName.MyProjectName.Blazor.Server.Host/MyCompanyName.MyProjectName.Blazor.Server.Host.csproj Bumps Microsoft.EntityFrameworkCore.Tools to 10.0.7 in module Blazor Server host template.
templates/module/aspnet-core/host/MyCompanyName.MyProjectName.Blazor.Host/MyCompanyName.MyProjectName.Blazor.Host.csproj Bumps Microsoft.AspNetCore.Components.WebAssembly.Server to 10.0.7 in module Blazor host template.
templates/module/aspnet-core/host/MyCompanyName.MyProjectName.Blazor.Host.Client/MyCompanyName.MyProjectName.Blazor.Host.Client.csproj Bumps WASM + DevServer to 10.0.7 in module Blazor client template.
templates/module/aspnet-core/host/MyCompanyName.MyProjectName.AuthServer/MyCompanyName.MyProjectName.AuthServer.csproj Bumps DataProtection.Redis + EF Tools to 10.0.7 in module auth server template.
templates/maui/src/MyCompanyName.MyProjectName/MyCompanyName.MyProjectName.csproj Bumps Microsoft.Extensions.FileProviders.Embedded to 10.0.7 in MAUI template.
templates/console/src/MyCompanyName.MyProjectName/MyCompanyName.MyProjectName.csproj Bumps Microsoft.Extensions.Hosting to 10.0.7 in console template.
templates/app/aspnet-core/test/MyCompanyName.MyProjectName.HttpApi.Client.ConsoleTestApp/MyCompanyName.MyProjectName.HttpApi.Client.ConsoleTestApp.csproj Bumps Microsoft.Extensions.Hosting and Microsoft.Extensions.Http.Polly to 10.0.7 in app console test template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyCompanyName.MyProjectName.Web.Host.csproj Bumps DataProtection.Redis to 10.0.7 in app web host template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.Host/MyCompanyName.MyProjectName.HttpApi.Host.csproj Bumps JwtBearer + DataProtection.Redis to 10.0.7 in app HTTP API host template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.EntityFrameworkCore/MyCompanyName.MyProjectName.EntityFrameworkCore.csproj Bumps EF Tools to 10.0.7 in app EF Core template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Domain.Shared/MyCompanyName.MyProjectName.Domain.Shared.csproj Bumps Microsoft.Extensions.FileProviders.Embedded to 10.0.7 in app domain.shared template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.DbMigrator/MyCompanyName.MyProjectName.DbMigrator.csproj Bumps Microsoft.Extensions.Hosting to 10.0.7 in DbMigrator template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor/MyCompanyName.MyProjectName.Blazor.csproj Bumps Microsoft.AspNetCore.Components.WebAssembly.Server to 10.0.7 in Blazor template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.WebApp/MyCompanyName.MyProjectName.Blazor.WebApp.csproj Bumps Microsoft.AspNetCore.Components.WebAssembly.Server to 10.0.7 in Blazor WebApp template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.WebApp.Tiered/MyCompanyName.MyProjectName.Blazor.WebApp.Tiered.csproj Bumps WASM Server + DataProtection.Redis to 10.0.7 in tiered Blazor WebApp template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.WebApp.Tiered.Client/MyCompanyName.MyProjectName.Blazor.WebApp.Tiered.Client.csproj Bumps WASM + DevServer to 10.0.7 in tiered Blazor WebApp client template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.WebApp.Client/MyCompanyName.MyProjectName.Blazor.WebApp.Client.csproj Bumps WASM + DevServer to 10.0.7 in Blazor WebApp client template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server/MyCompanyName.MyProjectName.Blazor.Server.csproj Bumps Microsoft.AspNetCore.Components.WebAssembly.Server to 10.0.7 in Blazor Server template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Server.Tiered/MyCompanyName.MyProjectName.Blazor.Server.Tiered.csproj Bumps DataProtection.Redis to 10.0.7 in tiered Blazor Server template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Blazor.Client/MyCompanyName.MyProjectName.Blazor.Client.csproj Bumps WASM + DevServer to 10.0.7 in Blazor client template.
templates/app/aspnet-core/src/MyCompanyName.MyProjectName.AuthServer/MyCompanyName.MyProjectName.AuthServer.csproj Bumps DataProtection.Redis to 10.0.7 in app auth server template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc/MyCompanyName.MyProjectName.Mvc.csproj Bumps Embedded FileProvider + EF Tools to 10.0.7 in no-layers MVC template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Mvc.Mongo/MyCompanyName.MyProjectName.Mvc.Mongo.csproj Bumps Embedded FileProvider to 10.0.7 in no-layers MVC Mongo template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host/MyCompanyName.MyProjectName.Host.csproj Bumps Embedded FileProvider + EF Tools to 10.0.7 in no-layers host template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Host.Mongo/MyCompanyName.MyProjectName.Host.Mongo.csproj Bumps Embedded FileProvider to 10.0.7 in no-layers host Mongo template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.WebAssembly/Shared/MyCompanyName.MyProjectName.Blazor.WebAssembly.Shared.csproj Bumps Embedded FileProvider to 10.0.7 in no-layers Blazor WASM shared template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.WebAssembly/Server/MyCompanyName.MyProjectName.Blazor.WebAssembly.Server.csproj Bumps WASM Server + Embedded FileProvider + EF Tools to 10.0.7 in no-layers Blazor WASM server template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.WebAssembly/Server.Mongo/MyCompanyName.MyProjectName.Blazor.WebAssembly.Server.Mongo.csproj Bumps WASM Server + Embedded FileProvider to 10.0.7 in no-layers Blazor WASM server Mongo template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.WebAssembly/Client/MyCompanyName.MyProjectName.Blazor.WebAssembly.Client.csproj Bumps WASM + DevServer to 10.0.7 in no-layers Blazor WASM client template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server/MyCompanyName.MyProjectName.Blazor.Server.csproj Bumps Embedded FileProvider + EF Tools to 10.0.7 in no-layers Blazor Server template.
templates/app-nolayers/aspnet-core/MyCompanyName.MyProjectName.Blazor.Server.Mongo/MyCompanyName.MyProjectName.Blazor.Server.Mongo.csproj Bumps Embedded FileProvider to 10.0.7 in no-layers Blazor Server Mongo template.
docs/en/package-version-changes.md Records the package version changes for the release notes.
Directory.Packages.props Central bump of .NET 10 Microsoft/System package versions to 10.0.7.

Comment thread Directory.Packages.props Outdated
Comment thread Directory.Packages.props
Comment thread Directory.Packages.props Outdated
@maliming maliming requested a review from Copilot April 23, 2026 03:24
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 41 out of 41 changed files in this pull request and generated 1 comment.

Comment thread Directory.Packages.props
@maliming maliming requested a review from EngincanV April 23, 2026 03:53
@EngincanV EngincanV merged commit 0a4d666 into dev Apr 24, 2026
5 checks passed
@EngincanV EngincanV deleted the maliming/fix-data-protection-cve-40372 branch April 24, 2026 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EngincanV EngincanV EngincanV approved these changes

Assignees

No one assigned

Labels

dependency-change Indicates a version change of a dependency (typically, upgrade)

Projects

None yet

Milestone

10.4-preview

Development

Successfully merging this pull request may close these issues.

3 participants

@maliming @EngincanV