.NET and Visual Studio Remote Code Execution Vulnerability
Description
Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
.NET and Visual Studio untrusted search path vulnerability allows an unauthorized attacker to execute code over a network by placing files in specific locations.
CVE-2025-30399 is an untrusted search path vulnerability affecting .NET 8.0, .NET 9.0, and Visual Studio. The root cause is that the application searches for required resources in locations that an attacker may be able to control, leading to the loading of unintended files. This vulnerability is classified as a remote code execution issue over a network [1][2].
An attacker can exploit this vulnerability by placing malicious files in particular locations on the system. The attack is performed over a network, meaning the attacker does not require local access to the vulnerable machine. No mitigating factors have been identified by Microsoft, indicating that any affected application exposed to an untrusted network path is at risk [1][2].
If successfully exploited, the attacker can achieve unintended code execution within the context of the .NET application. This could lead to full compromise of the application, data access, or lateral movement within the network. The impact is considered high, as it bypasses standard security boundaries for network-based interactions [1][2].
Microsoft has released patches for the affected component packages. For .NET 8.0, the vulnerable versions are 8.0.16 and earlier, with the fix included in version 8.0.17. For .NET 9.0, versions 9.0.5 and earlier are affected, and the patch is in version 9.0.6. Developers should update their applications to use the patched packages immediately [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.NetCore.App.Runtime.linux-armNuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.linux-arm64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.linux-x64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.osx-arm64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.osx-x64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.win-armNuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.win-arm64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.win-x64NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.win-x86NuGet | >= 9.0.0, < 9.0.6 | 9.0.6 |
Microsoft.NetCore.App.Runtime.linux-armNuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.linux-arm64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.linux-x64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.osx-arm64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.osx-x64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Microsoft.NetCore.App.Runtime.win-x86NuGet | >= 8.0.0, < 8.0.17 | 8.0.17 |
Affected products
57- osv-coords47 versionspkg:apk/chainguard/dotnet-bootstrap-8pkg:apk/chainguard/dotnet-bootstrap-9pkg:apk/wolfi/dotnet-bootstrap-8pkg:apk/wolfi/dotnet-bootstrap-9pkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:bitnami/powershellpkg:nuget/microsoft.netcore.app.runtime.linux-armpkg:nuget/microsoft.netcore.app.runtime.linux-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-armpkg:nuget/microsoft.netcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.netcore.app.runtime.linux-x64pkg:nuget/microsoft.netcore.app.runtime.osx-arm64pkg:nuget/microsoft.netcore.app.runtime.osx-x64pkg:nuget/microsoft.netcore.app.runtime.win-armpkg:nuget/microsoft.netcore.app.runtime.win-arm64pkg:nuget/microsoft.netcore.app.runtime.win-x64pkg:nuget/microsoft.netcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 8.0.18-r0+ 46 more
- (no CPE)range: < 8.0.18-r0
- (no CPE)range: < 9.0.109-r0
- (no CPE)range: < 8.0.18-r0
- (no CPE)range: < 9.0.109-r0
- (no CPE)range: >= 8.0.0, < 8.0.18
- (no CPE)range: >= 8.0.0, < 8.0.101
- (no CPE)range: >= 7.4.0, < 7.4.11
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: >= 9.0.0, < 9.0.6
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 9.0.107-1.el8_10
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 8.0.117-1.el8_10
- (no CPE)range: < 8.0.117-1.el8_10
- (no CPE)range: < 9.0.107-1.el8_10
- (no CPE)range: < 9.0.107-1.el8_10
- (no CPE)range: < 9.0.107-1.el8_10
- (no CPE)range: < 8.0.117-1.el8_10
- (no CPE)range: < 9.0.107-1.el8_10
- (no CPE)range: < 8.0.17-1.el8_10
- (no CPE)range: < 9.0.6-1.el8_10
- (no CPE)range: < 8.0.117-1.el8_10
- (no CPE)range: < 9.0.107-1.el8_10
- (no CPE)range: < 9.0.107-1.el8_10
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10.0
- Microsoft/Microsoft Visual Studio 2022 version 17.12v5Range: 17.12.0
- Microsoft/Microsoft Visual Studio 2022 version 17.14v5Range: 17.14.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/.NET 9.0v5Range: 9.0.0
- Microsoft/PowerShell 7.4v5Range: 7.4.0
- Microsoft/PowerShell 7.5v5Range: 7.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-266m-wp2v-x7mqghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2025-30399ghsaADVISORY
- github.com/dotnet/runtime/issues/116495ghsaWEB
- github.com/dotnet/runtime/security/advisories/GHSA-266m-wp2v-x7mqghsaWEB
- www.cve.org/CVERecordghsaWEB
News mentions
0No linked articles in our index yet.