Dependency Scan Exposes Two Vulnerabilities in TheWheel.OpenXml 1.0.0, System.IO.Packaging 8.0.0 in Scope

A WhiteSource security scan has identified two vulnerabilities associated with TheWheel.OpenXml version 1.0.0, with the highest assessed severity reaching 7.5 on the CVSS scale. The findings stem from the library's dependency on System.IO.Packaging version 8.0.0, a NuGet package that sits within the software supply chain of the affected project. The vulnerable package paths were traced to multiple instances of the compromised artifact located in the scanner's local NuGet cache directory.

The exposure was detected during a scan of the test project at /TheWheel.Tests/TheWheel.Tests.csproj, where the flagged versions of System.IO.Packaging were pulled as transitive dependencies. While the test project itself may not be deployed in production environments, its dependency graph reflects the same vulnerable components present in any downstream application that consumes TheWheel.OpenXml 1.0.0. The duplication of the package path in the scanner output suggests that the artifact may have been cached or referenced multiple times during the build or audit process.

Software supply chain risks tied to outdated or vulnerable NuGet packages remain a persistent concern for .NET development teams. Projects depending on TheWheel.OpenXml should evaluate whether System.IO.Packaging 8.0.0 is directly imported or indirectly pulled through this dependency, assess exposure risk based on deployment context, and monitor for available patches or version updates. The severity level of 7.5 indicates a medium-to-high risk that could potentially be exploited under specific conditions, particularly if the affected code paths handle untrusted input or operate in high-privilege contexts.