NuGet Gallery: Écrasement arbitraire de blob via confusion Nuspec et troncature de fragment URI

The vulnerability stems from insufficient input validation when handling .nuspec files. Attackers can leverage this to inject malicious metadata across packages, effectively controlling the resolved blob path. This allows them to write arbitrary blobs within the NuGet Gallery, potentially leading to remote code execution. Successful exploitation could allow an attacker to compromise the NuGet Gallery infrastructure, inject malicious packages into the repository, and distribute them to unsuspecting developers, leading to widespread compromise of applications relying on NuGet packages. The potential for supply chain attacks is significant, as compromised packages could contain malware or backdoors.

Developers and organizations that rely on NuGet packages from nuget.org are at risk. Specifically, those using automated build processes that automatically pull packages from nuget.org without thorough vetting are particularly vulnerable. Shared hosting environments where multiple developers share a NuGet package repository also face increased risk.

• dotnet / server: Monitor NuGet Gallery server logs for unusual blob write activity, particularly those involving URI fragment injection in package identifiers. Use PowerShell to check for suspicious .nuspec files in the package repository.

Get-ChildItem -Path "C:\path\to\nuget\packages\*\*.nuspec" | Select-String -Pattern "malicious_pattern"

• generic web: Monitor access logs for requests containing unusual URI fragments in package identifiers. Check response headers for unexpected content-types or error messages related to blob writes. • database (generic): If NuGet Gallery uses a database to store package metadata, query the database for suspicious entries related to package identifiers and blob paths.

1. 2026-04-14Disclosure

   disclosure

1. Réservé2026-04-06
2. Publiée2026-04-14
3. Modifiée2026-04-15
4. EPSS mis à jour2026-04-22

The primary mitigation is to upgrade NuGet Gallery to version 0e80f87628349207cdcaf55358491f8a6f1ca276 or later, which contains the necessary fixes. If immediate upgrade is not feasible, consider implementing stricter input validation on .nuspec files within the NuGet Gallery backend job. While a direct WAF rule is difficult to implement, monitoring for unusual blob write activity and package identifier patterns can provide early detection. Review and audit all NuGet packages before publishing to ensure they do not contain malicious metadata. After upgrade, confirm the fix by attempting to upload a test package with a deliberately crafted, but benign, .nuspec file to verify that the input validation is functioning correctly.