Microsoft IdentityModel OpenID Connect Library Exposes Critical 6.8 CVSS Vulnerability in Widespread .NET Package

A critical security vulnerability with a CVSS score of 6.8 has been identified in the widely used Microsoft.IdentityModel.Protocols.OpenIdConnect NuGet package, version 6.10.2. The flaw, flagged as unreachable by automated scanners, resides within the dependent library Microsoft.IdentityModel.JsonWebTokens.6.10.2.nupkg, creating a latent risk for countless .NET and ASP.NET Core applications that rely on this package for authentication and token handling. This discovery highlights a persistent and potentially widespread exposure in a core Microsoft security component.

The vulnerability was pinpointed in a sample project's dependency chain, specifically within the `/vulnerable_asp_net_core/vulnerable_asp_net_core.csproj` file. The scanner traced the path to the vulnerable library installed in a standard NuGet package cache. The issue's presence in a public GitHub repository commit (692d7a90b62dbe37131ca50c8c726495b4c0f88b) demonstrates how easily such a dependency can be integrated into a codebase, often without developers being aware of the underlying security flaw. The 'unreachable' classification suggests the vulnerable code path may not be directly invoked in all scenarios, but its presence alone constitutes a significant attack surface.

This finding places immediate pressure on development and security teams across the .NET ecosystem to audit their dependencies. Organizations using this specific package version for OpenID Connect and JWT processing must urgently assess their exposure and apply available patches. The vulnerability's high severity and its location in a fundamental Microsoft authentication library signal a systemic risk, potentially affecting enterprise applications, cloud services, and internal systems that depend on this trusted security stack for identity management.