Entity Framework Core SQL Server Package Exposes eShop Demo to Seven Security Flaws

A security scan of the deltaHotelNine-Security-Demos/_demo_eShop_SCA repository has identified seven vulnerabilities linked to the microsoft.entityframeworkcore.sqlserver.7.0.5.nupkg package, with the highest reaching a CVSS score of 8.8. The findings, detected in commit a8031bc149a00a5a9a8174a98c957d42a9fc018a, point to a transitive dependency path through microsoft.identitymodel.jsonwebtokens.6.32.3 as the source of exposure.

The vulnerable package chain was traced through the FunctionalTests.csproj dependency file, with the compromised artifact residing at microsoft.identitymodel.jsonwebtokens.6.32.3.nupkg. The CVSS 8.8 rating places this vulnerability in the high-severity range, signaling the potential for significant impact if exploited. Transitive dependencies—components pulled in indirectly through other packages—are a known attack vector, as they often receive less scrutiny than direct application dependencies.

The exposure raises concerns for any development or testing environments using this version of the Entity Framework Core SQL Server library. While the flagged instance originates from a demo repository, the underlying package versions may appear in production-adjacent or legacy systems. Security teams should audit their .NET dependency trees for microsoft.identitymodel.jsonwebtokens versions below any fixed release, and ensure CI/CD pipelines flag transitive vulnerabilities before deployment.