Remote Code Execution security vulnerability through transitive dependency on system.text.encodings.web

[adrian-ubalde]

Hello RazorLight team 👋 ,

A recent security vulnerability scan of my application (which has a dependency on RazorLight@2.0.0-rc.3) via the Snyk scan tool, has detected a Remote Code Execution security vulnerability (please see attached screenshot for details).

There is a security vulnerability on the system.text.encodings.web package (detailed here on the Snyk website and in the dotnet website) which the RazorLight@2.0.0-rc.3 package has a transitive dependency on (via direct dependencies on Microsoft.AspNetCore.Html.Abstractions@2.1.0, Microsoft.AspNetCore.Hosting.Abstractions@2.1.0, Microsoft.AspNetCore.Razor.Runtime@2.1.0, Microsoft.AspNetCore.Razor.Runtime@2.1.0).

I was looking to see if there is an available patch for this vulnerability on the Nuget website but I didn't see one. I'm wondering if there are any plans to create a patch for this vulernability?

Thank you in advance.

Kind regards,
Adrian