Description
Description
Per https://nvd.nist.gov/vuln/detail/CVE-2019-0820, there's a ReDoS vulnerability in System.Text.RegularExpressions 4.3.0, which is being referenced by Serilog 2.5.0 under .NET Standard. The vulnerability is also present in version 4.1.0 even though the advisory does not state that.
Explanation from Sonatype:
The System.Text.RegularExpressions package contains a Regular Expression Denial of Service (ReDoS) vulnerability. The System.Text.RegularExpressions.dll file does not properly implement a timeout when handling regular expressions. An attacker can exploit this with a maliciously crafted regular expression string, which when processed could use excessive resources and cause an application crash, resulting in a Denial of Service (DoS).
Advisory Deviation Notice: The Sonatype security research team discovered that the vulnerability is present in version 4.0.12-rc2-24027 until 4.1.0, not just version 4.3.0 as the advisory states.
System.Text.RegularExpressions 4.3.1 does not have this vulnerability.
I examined the Serilog.nuspec file to confirm that 4.1.0 is being referenced. Assuming the .nuspec is being autogenerated by dotnet pack, I'm guessing the reason 4.1.0 is being referenced rather than 4.3.1 is because of the "lowest applicable version" behavior1.
Reproduction
Create a .NET Standard 2.0 project, reference Serilog 2.5.0, and build the project. Confirm that System.Text.RegularExpressions 4.1.0 is the version that is referenced.
Expected behavior
N/A
Relevant package, tooling and runtime versions
Serilog 2.5.0 on Windows with .NET Framework 4.8 but referenced via a .NET Standard 2.0 project.
Additional context
N/A