[SOLVED] Critical vulnerability reported for transitive log4net 2.0.8 dependency

I have…

  • [x] Checked the logs and have uploaded a log file and provided a link because I found something suspicious there. Please do not post the log file in the topic because very often something important is missing.

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [x] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

There is a transitive dependency in Squidex.Extensions on log4net 2.0.8 (CVE-2018-1285).

Expected behavior

No critical vulnerabilities are reported for dependencies.

Minimal reproduction of the problem

Run Mend against current Squiidex backend solution.


  • [ ] Self hosted with docker
  • [x] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: Latest


  • [ ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

As we add a custom extension to Squidex before building and deploying it we perform security scans as with all our other applications.

Turns out there are some dependencies on deprecated NuGet packages around Confluent that have a dependency on log4net 2.0.8, but as they are deprecated it is highly unlikely they will ever be updated to target a non-vulnerable version of log4net so solution seems to be to use the new versions of those deprecated packages.

I have raised an untested PR for what I believe are the changes required to remove this vulnerable transitive dependency: https://github.com/Squidex/squidex/pull/1039

It’s probable that this dependency is not effective against your application but just wanted to raise awareness of it and the use of deprecated packages in case it gets flagged for others…

Thanks. I will merge that in. If you have something critical, it is a good idea to use the github advisory feature, where we can also assign a CVE. In this case, I think it is not critical, because we never log with log4net.

1 Like

This topic was automatically closed after 2 days. New replies are no longer allowed.