Denial of service vulnerability in old version of castle core

[Havunen]

Describe the bug
Old version of castle core has vulnerable component. This seems to be fixed in the latest version.

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708] in System.Text.RegularExpressions@4.3.0
introduced by NSubstitute@4.2.2 > Castle.Core@4.4.0 > System.Xml.XmlDocument@4.3.0 > System.Xml.ReaderWriter@4.3.0 > System.Text.RegularExpressions@4.3.0
This issue was fixed in versions: 4.3.1

[Havunen]

[Havunen]

This issue seems to be fixed in master branch already: 21f061b

But latest version in nuget is 4.2.2 @dtchepak

[Havunen]

It seems castle core 4.4.1 also has this vulnerability

Castle.Core@4.4.1
System.Xml.XmlDocument@4.3.0
System.Xml.ReaderWriter@4.3.0
System.Text.RegularExpressions@4.3.0

[Havunen]

This issue is related to castleproject/Core#602

[Havunen]

Because I couldn't find any fix to this I released my own version of NSubstitute and Castle.Core to nuget which target only .NET 5 and .NET 6 code.
They are available in: https://www.nuget.org/packages/NSubstituteNet6/ and https://www.nuget.org/packages/CastleCoreNet6/

[dtchepak]

Hi @Havunen ,
Does the release of 4.3.0 mitigate this issue? If so it it ok to close this?

[Havunen]

Unfortunately it does not, because it comes from castle.core and they are not making a new relese... I wonder how much it would take to change it to some alternative?

[Havunen]

castleproject/Core#609

[Havunen]

Blocked by: castleproject/Core#613

[Daeer-Projects]

What about including the updated NuGet packages for the vulnerable libraries? These would override the versions included with castleproject.

[304NotModified]

Castle core 5 has been released: https://github.com/castleproject/Core/releases/tag/v5.0.0