GHSA-G4VJ-CJJJ-V7HG: GHSA-G4VJ-CJJJ-V7HG: Defense in Depth Update for NuGet Client Handling Resource Consumption and Log Disclosure

GHSA-G4VJ-CJJJ-V7HG: Defense in Depth Update for NuGet Client Handling Resource Consumption and Log Disclosure

Vulnerability ID: GHSA-G4VJ-CJJJ-V7HG
CVSS Score: 3.3
Published: 2026-04-14

Microsoft issued a defense-in-depth security update for the NuGet Client and NuGet.CommandLine tools. The update addresses internal architectural weaknesses related to uncontrolled resource consumption (CWE-400) and the potential insertion of sensitive information into diagnostic log files (CWE-532). While classified as low severity without active exploitation, the update provides critical hardening for Continuous Integration (CI) and local development environments.

TL;DR

A low-severity defense-in-depth update for NuGet.CommandLine addresses potential denial of service via uncontrolled resource consumption and prevents sensitive credential disclosure in log files. Upgrading to the latest servicing release of the NuGet client mitigates these issues.

---

Technical Details

• CWE ID: CWE-400, CWE-532
• Attack Vector: Local / Context-Dependent
• CVSS Severity: Low
• Exploit Status: None
• KEV Status: Not Listed
• Impact: Denial of Service / Info Disclosure

Affected Systems

• NuGet.CommandLine utility
• nuget.exe standalone executable
• Visual Studio 2019 (Bundled NuGet Client)
• Visual Studio 2022 (Bundled NuGet Client)
• NuGet.CommandLine: < 6.13.0 (Fixed in: 6.13.0)

Mitigation Strategies

• Upgrade the NuGet.CommandLine package and nuget.exe to the latest patched versions.
• Apply the latest Visual Studio servicing updates to patch bundled NuGet clients.
• Disable 'Detailed' or 'Diagnostic' verbosity in automated build pipelines.
• Implement short-lived, scoped access tokens for package feed authentication to limit the impact of potential exposure.

Remediation Steps:

1. Verify the current version of the NuGet CLI using 'nuget help'.
2. Download the latest nuget.exe release (e.g., 6.13.0+) from the official distribution endpoints.
3. Update Visual Studio installations using the Visual Studio Installer.
4. Audit existing CI/CD logs for exposed authorization headers.
5. Rotate any package feed credentials that were previously used in environments with diagnostic logging enabled.

References

• GitHub Advisory Database: GHSA-G4VJ-CJJJ-V7HG
• SOOS Vulnerability Research: GHSA-G4VJ-CJJJ-V7HG
• Aliyun Vulnerability Database (AVD-2026-1868285)
• NuGet Release Notes

---

Read the full report for GHSA-G4VJ-CJJJ-V7HG on our website for more details including interactive diagrams and full exploit analysis.