eShopOnContainers Fork Exposes Test Environment to CVE-2024-21907 via Vulnerable Newtonsoft.Json Dependency

A development fork of the popular eShopOnContainers e-commerce reference architecture has been flagged for including a known-severity vulnerability in its test suite dependencies. WhiteSource security scanning detected the presence of Newtonsoft.Json version 12.0.2—a package with a documented CVSS score of 7.5—packaged within the microsoft.net.test.sdk.16.8.3.nupkg artifact at the time of the scan.

The vulnerability, tracked as CVE-2024-21907, resides in the Ordering.UnitTests project component located at /src/Services/Ordering/Ordering.UnitTests/Ordering.UnitTests.csproj. The scanning identified the vulnerable package path within the NuGet cache structure at /home/wss-scanner/.nuget/packages/newtonsoft.json/12.0.2/newtonsoft.json.12.0.2.nupkg. The exposure was detected against HEAD commit 58162be7965e66c71394dab67f66ed3d7cfaaef5 in the repository maintained by developer Hieunc-NT.

While test dependencies typically do not execute in production environments, vulnerable libraries in development tooling pose supply chain risks during build processes, artifact generation, and potential transitive inclusion in downstream containers. The presence of an unpatched Newtonsoft.Json version with a CVSS 7.5 rating indicates outdated test infrastructure that could expose build pipelines to exploitation if the vulnerable code path is exercised or referenced by other components during CI/CD workflows.