Nancy 1.4.3 Framework Exposes Critical CVE-2017-9785 Vulnerability (CVSS 9.8)

A critical security flaw has been identified in the Nancy 1.4.3 web framework package, posing a severe risk to dependent .NET applications. The vulnerability, tracked as CVE-2017-9785, carries a maximum CVSS severity score of 9.8, indicating a high-impact, remotely exploitable weakness. This direct dependency vulnerability is currently marked with no available remediation or fixed version, leaving projects that rely on this outdated package exposed.

The vulnerable library, `nancy.1.4.3.nupkg`, is a lightweight .NET framework inspired by Sinatra. The finding originates from a dependency scan of a project file (`/ConsoleApp1.csproj`), with the package located at `/home/wss-scanner/.nuget/packages/nancy/1.4.3/`. The exploit maturity for this CVE is listed as 'Not Defined,' and its EPSS score is 2.3%, suggesting a measurable, though not immediate, probability of exploitation in the wild.

This discovery signals significant pressure on development teams still utilizing Nancy 1.4.3. The absence of a patched version forces a stark choice: accept the critical risk or undertake a potentially complex migration to a newer, secure framework version or alternative. The persistence of such a high-severity, unpatched vulnerability in a foundational web framework package underscores the latent security debt within software supply chains and highlights the urgent need for proactive dependency management.