Transitive dep: System.Security.Cryptography.Xml 10.0.0 has High-severity CVEs (via EPPlus 8.5.0)

[birdnamoo]

Status update: Fixed in commit 8c40891 and released as FilePrepper 0.6.1 (EPPlus bump 8.5.0 → 8.5.3). NuGet publish triggers automatically on Directory.Build.props change. This issue is opened for traceability and to coordinate downstream consumers removing temporary mitigations.

Problem

FilePrepper 0.6.0 transitively depends on System.Security.Cryptography.Xml 10.0.0, which has two known High-severity vulnerabilities:

• GHSA-37gx-xxp4-5rgx — CVE-2026-33116: .NET DoS via EncryptedXml (CVSS 7.5)
• GHSA-w3x6-4m5h-cxqf — CVE-2026-26171: .NET DoS

Both advisories confirm vulnerable range >= 10.0.0, <= 10.0.5; first patched version is 10.0.6. Both surface as NU1903 warnings in any consumer project.

Affected dependency chain

```
FilePrepper 0.6.0
└── EPPlus 8.5.0
└── System.Security.Cryptography.Xml 10.0.0 ← vulnerable (net10.0 TFM)
```

Reproduction (on FilePrepper 0.6.0)

```bash
dotnet new classlib -n Repro -f net10.0
cd Repro
dotnet add package FilePrepper --version 0.6.0
dotnet build # NU1903 warnings appear
dotnet list package --vulnerable --include-transitive
```

Fix

EPPlus 8.5.3 (released 2026-04-16) requires System.Security.Cryptography.Xml >= 10.0.6 for net10.0 consumers, fully closing the chain.

EPPlus	System.Security.Cryptography.Xml (net10.0)	Status
8.5.0	10.0.0	Vulnerable
8.5.3	10.0.6	Patched

Single-line change in Directory.Packages.props:

```xml

• <PackageVersion Include="EPPlus" Version="8.5.0" />

• <PackageVersion Include="EPPlus" Version="8.5.3" />
  ```

Verification (on commit 8c40891 / FilePrepper 0.6.1)

• `dotnet list package --vulnerable --include-transitive` → "no vulnerable packages"
• All tests pass: 302 SDK + 63 CLI
• nupkg dependency manifest contains: `<dependency id="EPPlus" version="8.5.3" />`

For downstream consumers

If you applied a temporary TransitivePinningEnabled + explicit System.Security.Cryptography.Xml pin as a consumer-side mitigation, you can remove it once you upgrade to FilePrepper 0.6.1 or later.

Reporter

Found via dogfooding from the DataLens project (consumer of FilePrepper). Thanks to that team for the precise diagnosis including direct nupkg inspection.

[birdnamoo]

⚠️ Release blocked — NUGET_API_KEY needs rotation

The fix landed on main (commit 8c40891) and the NuGet Publish workflow auto-triggered, but the publish step failed:

```
Pushing FilePrepper.0.6.1.nupkg to 'https://www.nuget.org/api/v2/package'...
error: Response status code does not indicate success: 403 (The specified API key is invalid, has expired, or does not have permission to access the specified package.).
```

Workflow run: https://github.com/iyulab/FilePrepper/actions/runs/24980016867

The previous successful publish was 0.6.0 on 2026-03-20, so the API key has likely expired between then and now. nuget.org confirms 0.6.1 is not yet published; 0.6.0 remains the latest.

Action required (maintainer)

1. Generate a new API key on nuget.org (Push permission scoped to FilePrepper).
2. Update the NUGET_API_KEY repository secret on iyulab/FilePrepper.
3. Re-run the failed workflow (workflow_dispatch or push a no-op commit on Directory.Build.props).

Until then, the security fix exists on main but consumers cannot acquire it via NuGet. Downstream consumers applying temporary mitigations should keep them in place until 0.6.1 is on nuget.org.

This issue stays open until 0.6.1 is published.

[birdnamoo]

✅ Resolved — FilePrepper 0.6.1 published to nuget.org

The maintainer rotated NUGET_API_KEY (organization secret), and the previously failed run 24980016867 was retried successfully on attempt #2.

• Workflow: ✅ success
• Build SHA: `8c40891` — the original security-only commit, not main HEAD. So 0.6.1 contains exactly the EPPlus 8.5.3 bump that was triaged in this issue, with none of the subsequent package bumps that landed via Dependabot PRs chore(deps): bump actions/upload-artifact from 4 to 7 #2–Bump System.CommandLine from 2.0.5 to 2.0.7 #9. Those will release as 0.6.2 in a future cycle.
• nuget.org flat-container: `FilePrepper.0.6.1` and `fileprepper-cli.0.6.1` both visible (gallery page indexing will catch up within ~10 more minutes).

For downstream consumers

You can upgrade now:

```bash
dotnet add package FilePrepper --version 0.6.1
```

Any temporary `TransitivePinningEnabled` + explicit `System.Security.Cryptography.Xml` pin you applied as a consumer-side mitigation can be removed once you upgrade to 0.6.1 — the patched chain comes through automatically via EPPlus 8.5.3.

Closing.