.NET: Address Vulnerable Packages in Google Gemini Sample

[joslat]

🚨 [SECURITY] High Severity CVEs in Google Gemini Sample - Build Blocked

Issue Type

🔴 Security Vulnerability - High Severity

Summary

The Agent_With_GoogleGemini sample project includes transitive dependencies with known high and moderate severity security vulnerabilities in System.Net.Security version 4.3.0. The project configuration does not pin specific package versions, causing it to pull the latest versions of Google packages which carry these vulnerable dependencies.

Affected Component

• Project: dotnet/samples/GettingStarted/AgentProviders/Agent_With_GoogleGemini
• Direct Dependencies (unpinned in csproj):
  • <PackageReference Include="Google.GenAI" /> - pulls version 0.6.0 from Directory.Packages.props
  • <PackageReference Include="Mscc.GenerativeAI.Microsoft" /> - pulls version 2.9.3 from Directory.Packages.props
• Vulnerable Transitive Dependency: System.Net.Security 4.3.0

Root Cause

The sample project references Google packages without explicit version pinning in the csproj file, relying on central package management. The current versions specified in Directory.Packages.props (Google.GenAI 0.6.0 and Mscc.GenerativeAI.Microsoft 2.9.3) have dependency chains that include the vulnerable System.Net.Security 4.3.0 package.

Vulnerabilities

NuGet security audit has identified the following vulnerabilities:

1. GHSA-6xh7-4v2w-36q6 - High Severity
2. GHSA-ch6p-4jcm-h8vh - Moderate Severity
3. GHSA-j8f4-2w4p-mhjc - Moderate Severity
4. GHSA-qhqf-ghgh-x2m4 - High Severity

Error Details

/Users/latj/Code/agent-framework/dotnet/samples/GettingStarted/AgentProviders/Agent_With_GoogleGemini/Agent_With_GoogleGemini.csproj : error NU1903: Warning As Error: Package 'System.Net.Security' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-6xh7-4v2w-36q6
/Users/latj/Code/agent-framework/dotnet/samples/GettingStarted/AgentProviders/Agent_With_GoogleGemini/Agent_With_GoogleGemini.csproj : error NU1902: Warning As Error: Package 'System.Net.Security' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ch6p-4jcm-h8vh
/Users/latj/Code/agent-framework/dotnet/samples/GettingStarted/AgentProviders/Agent_With_GoogleGemini/Agent_With_GoogleGemini.csproj : error NU1902: Warning As Error: Package 'System.Net.Security' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-j8f4-2w4p-mhjc
/Users/latj/Code/agent-framework/dotnet/samples/GettingStarted/AgentProviders/Agent_With_GoogleGemini/Agent_With_GoogleGemini.csproj : error NU1903: Warning As Error: Package 'System.Net.Security' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-qhqf-ghgh-x2m4

Impact

• Build Failures: The solution fails to restore packages due to TreatWarningsAsErrors=true in Directory.Build.props
• Security Risk: The vulnerable package has known SSL/TLS security issues
• Corporate Compliance: This blocks the solution from being built on security-conscious enterprise environments

Reproduction Steps

1. Clone the repository
2. Navigate to dotnet/ directory
3. Run dotnet restore
4. Observe the security vulnerability errors

Proposed Solutions

Option 1: Remove the Sample (Recommended)

This sample does not enable any critical functionality and should be removed entirely to eliminate the security risk. The Google Gemini integration can be re-added when secure package versions become available.

Option 2: Comment Out/Disable the Sample

Temporarily disable the sample by:

• Commenting out the PackageReferences in the csproj
• Adding a comment explaining the security issue
• Excluding it from the solution build

Option 3: Override Transitive Dependency (Temporary Workaround)

Add an explicit package reference to a newer version of System.Net.Security in Directory.Packages.props:

<PackageVersion Include="System.Net.Security" Version="4.3.2" />

⚠️ Warning: This is only a workaround and may not fully address all vulnerabilities in the dependency chain.

Option 4: Update Google Packages (If Available)

Check if newer versions of Google.GenAI or Mscc.GenerativeAI.Microsoft are available that don't depend on the vulnerable package. Contact package maintainers if updates are not available.

Additional Context

• .NET SDK Version: 10.0.100-rc.1.25451.107
• Target Framework: net10.0
• Build Configuration: Central Package Management enabled

Priority

🔴 High - Security vulnerabilities should be addressed promptly, especially in corporate environments.

[joslat]

cc @markwallace-microsoft @rogerbarreto

[rogerbarreto]

Unable to reproduce, seems like related to another dependency. Or a false positive. Please feel free to give more information how to reproduce the error.

C:\Users\rbarreto\source\repos\AgentFrameworkBlankTemplate\AgentFrameworkBlank> dotnet list package
Restore complete (0.4s)

Build succeeded in 0.7s
Project 'AgentFrameworkGemini' has the following package references
   [net10.0]:
   Top-level Package                  Requested                Resolved
   > Google.GenAI                     0.6.0                    0.6.0
   > Microsoft.Agents.AI              1.0.0-preview.251125.1   1.0.0-preview.251125.1
   > Mscc.GenerativeAI.Microsoft      2.9.3                    2.9.3

C:\Users\rbarreto\source\repos\AgentFrameworkBlankTemplate\AgentFrameworkBlank> dotnet list package --vulnerable --include-transitive
Restore complete (0.2s)

Build succeeded in 0.5s

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

The given project `AgentFrameworkGemini` has no vulnerable packages given the current sources.

Thanks

[rogerbarreto]

Investigating a bit further I was able to reproduce the error when targeting net8.0 and net9.0 framworks.

The fix was created enforcing the transitive to a non-vulnerable version.

C:\Users\rbarreto\source\repos\AgentFrameworkBlankTemplate\AgentFrameworkBlank> dotnet list package --vulnerable --include-transitive
Restore complete (0.2s)

Build succeeded in 0.5s

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

Project `AgentFrameworkGemini` has the following vulnerable packages
   [net9.0]:
   Transitive Package         Resolved   Severity   Advisory URL
   > System.Net.Security      4.3.0      Moderate   https://github.com/advisories/GHSA-ch6p-4jcm-h8vh
                                         High       https://github.com/advisories/GHSA-6xh7-4v2w-36q6
                                         High       https://github.com/advisories/GHSA-qhqf-ghgh-x2m4
                                         Moderate   https://github.com/advisories/GHSA-j8f4-2w4p-mhjc