{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-15T13:06:53Z",
  "bugzilla" : {
    "description" : "dotnet: .NET Denial of Service Vulnerability",
    "id" : "2403086",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2403086"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-377",
  "details" : [ "Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.", "A flaw was found in MSBuild’s temporary directory handling on Linux where predictable, non-randomized temporary paths are used. Local users can create or manipulate those paths before MSBuild runs, causing build failures or unexpected behavior and resulting in denial of service for build operations." ],
  "statement" : "The Red Hat Product Security team has assessed this issue as Moderate. Predictable MSBuild temporary directory paths on Linux allow a local user to precreate or manipulate build temp directories, causing build failures (denial of service) on shared build hosts or CI runners using the affected .NET packages.\n```\n.NET 6.0 for RHEL-8, RHEL-9 and RHIVOS has reached its End of Life as of November 12, 2024, and is no longer supported. No fixes will be provided for this stream. For additional information about lifecycle for .NET on Red Hat Enterprise Linux, please refer to: https://access.redhat.com/support/policy/updates/net-core.\n```",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18152",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "dotnet8.0-0:8.0.121-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18153",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "dotnet9.0-0:9.0.111-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHBA-2025:20993",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet10.0-0:10.0.100~rc.2.25502.107-0.12.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18148",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.121-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18150",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet9.0-0:9.0.111-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHBA-2025:20916",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet10.0-0:10.0.100~rc.2.25502.107-0.10.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18149",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.121-1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18151",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet9.0-0:9.0.111-1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-10-16T00:00:00Z",
    "advisory" : "RHSA-2025:18256",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "dotnet8.0-0:8.0.121-1.el9_4"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:9080",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet8-0-main-8.0.126-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-21T00:00:00Z",
    "advisory" : "RHSA-2026:9205",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet9-0-main-9.0.116-1.hum1"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.25",
    "release_date" : "2025-12-15T00:00:00Z",
    "advisory" : "RHSA-2025:23225",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.25::el9",
    "package" : "devspaces/udi-rhel9:3.25.0-1765582207"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "dotnet10.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55247\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55247" ],
  "name" : "CVE-2025-55247",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}