Microsoft.Data.Sqlite.Core 2.2.1 NuGet Package Exposes Two High-Severity Vulnerabilities in ASP.NET Core Projects

A critical security alert has been raised for the Microsoft.Data.Sqlite.Core 2.2.1 NuGet package, exposing two vulnerabilities with a maximum severity score of 7.5 on the CVSS scale. The flaws are not only present but are confirmed as 'reachable' within dependent applications, indicating a direct and exploitable attack path for malicious actors. This discovery, originating from a GitHub repository scan, highlights a tangible security risk embedded in a foundational Microsoft data library used by countless .NET projects.

The vulnerable library, `microsoft.data.sqlite.core.2.2.1.nupkg`, was identified in the dependency chain of a sample ASP.NET Core project. The scan traced the path from the project file (`vulnerable_asp_net_core.csproj`) through the NuGet package to a downstream dependency on `system.net.http.4.3.0.nupkg`. This specific configuration, captured in a public Git commit, demonstrates how the vulnerability can be inadvertently pulled into a codebase, creating a silent security liability.

The 'reachable' classification is the key escalation, moving this from a theoretical advisory to an active exposure. It signals that the vulnerable code paths can be triggered by application logic, potentially leading to denial-of-service, information disclosure, or remote code execution depending on the specific CVEs. Developers and security teams relying on this version of the SQLite data provider for .NET must immediately assess their projects, as the package is a common dependency for database operations. The pressure is on to identify remediation paths, which may involve upgrading to a patched version of the library if available.