Skip to content

release: 7.1.8 — Microsoft.OpenApi security fix (#220) + IFormFile media types (#216)#221

Merged
avgalex merged 1 commit into
masterfrom
release/7.1.8
Jul 1, 2026
Merged

release: 7.1.8 — Microsoft.OpenApi security fix (#220) + IFormFile media types (#216)#221
avgalex merged 1 commit into
masterfrom
release/7.1.8

Conversation

@avgalex

@avgalex avgalex commented Jul 1, 2026

Copy link
Copy Markdown
Member

Overview

Cuts the stable 7.1.8 release. It folds together two things:

  1. Security fix for Issue Can we update the required minimum version of Swashbuckle.AspNetCore.SwaggerGen? #220 (the reason for this release) — closes the transitive advisory GHSA-v5pm-xwqc-g5wc / CVE-2026-49451.
  2. Stable rollup of the Add support for media types #216 media-type / file-size work that already shipped as 7.1.8-beta.1 / 7.1.8-beta.2 on master.

Fixes #220

Security fix (#220)

The published package pulled a vulnerable Microsoft.OpenApi 2.3.0 transitively via Swashbuckle.AspNetCore.SwaggerGen 10.0.0 on the net10.0 target:

MicroElements.Swashbuckle.FluentValidation
└── Swashbuckle.AspNetCore.SwaggerGen 10.0.0
    └── Swashbuckle.AspNetCore.Swagger 10.0.0
        └── Microsoft.OpenApi 2.3.0   ← vulnerable
  • Advisory: GHSA-v5pm-xwqc-g5wc / CVE-2026-49451 — High (CVSS 7.5), CWE-674 Uncontrolled Recursion. A circular $ref schema can stack-overflow the OpenAPI reader (availability / process-termination; no RCE or data exposure).
  • Affected range: Microsoft.OpenApi >= 2.0.0-preview11, <= 2.7.4. Patched in 2.7.5.
  • Fix: bump Swashbuckle.AspNetCore.SwaggerGen 10.0.010.2.1 (net10.0 target), which resolves Microsoft.OpenApi to 2.7.5. Verified via dotnet list package --include-transitive.
  • The net8.0 / net9.0 targets use Swashbuckle 8.1.1Microsoft.OpenApi v1, which is outside the advisory range — left unchanged.
  • Test project (net10.0): Swashbuckle.AspNetCore(.Annotations)10.2.1 and the direct Microsoft.OpenApi pin 2.3.02.7.5 (clears Dependabot alert Create package for old asp net #2).

Release (version)

⚠️ Per this repo's release process, merging to master triggers the CI NuGet publish of 7.1.8.

Verification

  • dotnet test --framework net10.086 passed, 0 failed (only pre-existing nullable warnings).
  • dotnet list package --include-transitive (net10.0) → Microsoft.OpenApi 2.7.5.
  • dotnet pack -c ReleaseMicroElements.Swashbuckle.FluentValidation.7.1.8.nupkg.

🤖 Generated with Claude Code

…media types)

- Bump Swashbuckle.AspNetCore.SwaggerGen 10.0.0 -> 10.2.1 on the net10.0
  target, pulling patched Microsoft.OpenApi 2.7.5 (was transitively 2.3.0).
  Closes the transitive high-severity advisory GHSA-v5pm-xwqc-g5wc /
  CVE-2026-49451 (CWE-674 uncontrolled recursion on circular $ref schemas)
  reported in Issue #220. net8.0/net9.0 use Swashbuckle 8.1.1 -> OpenApi v1,
  outside the advisory range.
- Test project (net10.0): bump Swashbuckle.AspNetCore(.Annotations) to 10.2.1
  and the direct Microsoft.OpenApi pin 2.3.0 -> 2.7.5 (clears Dependabot alert #2).
- Cut stable 7.1.8: drop beta suffix in version.props; CHANGELOG rolls up the
  #216 media-type/file-size work from 7.1.8-beta.1/beta.2 plus the #220 fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@avgalex avgalex merged commit 2e8c074 into master Jul 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Can we update the required minimum version of Swashbuckle.AspNetCore.SwaggerGen?

1 participant