CVE-2024-21907: Newtonsoft.Json 10.0.3 Vulnerability Exposes eShopOnContainers Webhooks.API to Medium-High Risk

A security vulnerability has been identified in the Newtonsoft.Json 10.0.3 dependency bundled within the Microsoft.AspNetCore.HealthChecks 1.0.0 library, affecting the eShopOnContainers project's Webhooks.API component. The flaw carries a CVSS score of 7.5, placing it in the medium-high severity range. The vulnerability was discovered through automated scanning in commit 58162be7965e66c71394dab67f66ed3d7cfaaef5, with the vulnerable package located at /home/wss-scanner/.nuget/packages/newtonsoft.json/10.0.3/newtonsoft.json.10.0.3.nupkg. Two distinct vulnerabilities are associated with this dependency path, with CVE-2024-21907 being the primary identifier flagged in the scan report.

The affected component traces through the Webhooks.API.csproj dependency chain, where the outdated Newtonsoft.Json version introduces known security weaknesses. Newtonsoft.Json 10.0.3 is a widely-deployed serialization library, and vulnerabilities in this component have historically posed risks to applications handling untrusted JSON input. The eShopOnContainers repository, a reference implementation for microservices architecture, uses this vulnerable library within its webhook service infrastructure.

Organizations using the eShopOnContainers Webhooks.API component should evaluate upgrading the Newtonsoft.Json dependency to a patched version that resolves CVE-2024-21907. Remediation is marked as possible in the scan findings, though the specific fixed version for microsoft.aspnetcore.healthchecks.1.0.0.nupkg requires confirmation from Microsoft's official security advisories. Development teams should audit their NuGet dependency trees and prioritize patching this exposure in production environments.