Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

NuGet Client update adds package validation to prevent tampering

GHSA-g4vj-cjjj-v7hg
Summary

The NuGet Client has been updated to validate package IDs and versions during download to prevent malicious packages from being installed. This update affects NuGet.exe, NuGet.CommandLine, and .NET SDK versions. If you're using any of the affected versions, you should update to the latest version to ensure package integrity.

What to do
  • Update nuget.packaging to version 4.9.7.
  • Update nuget.packaging to version 5.11.7.
  • Update nuget.packaging to version 6.8.2.
  • Update nuget.packaging to version 6.11.2.
  • Update nuget.packaging to version 6.12.5.
  • Update nuget.packaging to version 6.14.3.
  • Update nuget.packaging to version 7.0.3.
  • Update nuget.packaging to version 7.3.1.
  • Update nuget.protocol to version 4.9.7.
  • Update nuget.protocol to version 5.11.7.
  • Update nuget.protocol to version 6.8.2.
  • Update nuget.protocol to version 6.11.2.
  • Update nuget.protocol to version 6.12.5.
  • Update nuget.protocol to version 6.14.3.
  • Update nuget.protocol to version 7.0.3.
  • Update nuget.protocol to version 7.3.1.
  • Update nuget.commandline to version 4.9.7.
  • Update nuget.commandline to version 5.11.7.
  • Update nuget.commandline to version 6.8.2.
  • Update nuget.commandline to version 6.11.2.
  • Update nuget.commandline to version 6.12.5.
  • Update nuget.commandline to version 6.14.3.
  • Update nuget.commandline to version 7.0.3.
  • Update nuget.commandline to version 7.3.1.
Affected software
Ecosystem VendorProductAffected versions
NuGet nuget.packaging >= 4.9.0, < 4.9.7
>= 5.11.0, < 5.11.7
>= 6.8.0, < 6.8.2
>= 6.11.0, < 6.11.2
>= 6.12.0, < 6.12.5
>= 6.14.0, < 6.14.3
>= 7.0.0, < 7.0.3
>= 7.3.0, < 7.3.1
Fix: upgrade to 4.9.7
NuGet nuget.protocol >= 4.9.0, < 4.9.7
>= 5.11.0, < 5.11.7
>= 6.8.0, < 6.8.2
>= 6.11.0, < 6.11.2
>= 6.12.0, < 6.12.5
>= 6.14.0, < 6.14.3
>= 7.0.0, < 7.0.3
>= 7.3.0, < 7.3.1
Fix: upgrade to 4.9.7
NuGet nuget.commandline >= 4.9.0, < 4.9.7
>= 5.11.0, < 5.11.7
>= 6.8.0, < 6.8.2
>= 6.11.0, < 6.11.2
>= 6.12.0, < 6.12.5
>= 6.14.0, < 6.14.3
>= 7.0.0, < 7.0.3
>= 7.3.0, < 7.3.1
Fix: upgrade to 4.9.7
Original title
Defense in Depth update for NuGet Client
Original description
### Impact
This update adds validation of the package ID and version during package download, in addition to the existing package signature validation.

### Patches

#### NuGet

The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched:

|Affected versions|Patched version|
|--|--|
|>= 4.9.0, <= 4.9.6|4.9.7|
|>= 5.11.0, <= 5.11.6|5.11.7|
|>= 6.8.0, <= 6.8.1|6.8.2|
|>= 6.11.0, <= 6.11.1|6.11.2|
|>= 6.12.0, <= 6.12.4|6.12.5|
|>= 6.14.0, <= 6.14.2|6.14.3|
|>= 7.0.0, <= 7.0.2|7.0.3|
|7.3.0|7.3.1|

#### .NET SDK

* .NET 8.0.126 SDK
* .NET 8.0.420 SDK
* .NET 9.0.116 SDK
* .NET 9.0.313 SDK
* .NET 10.0.106 SDK
* .NET 10.0.202 SDK

### Workarounds
N/A

### References
https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr

### Credit
[splitline](https://x.com/_splitline_) with [DEVCORE](https://devco.re/)
Vulnerability type
CWE-345
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026