For context around the score https://github.com/dotnet/aspnetcore/issues/64033#i...

Hawxy · 2025-10-15T13:17:57 1760534277

This appears to be the code change: https://github.com/dotnet/aspnetcore/commit/97a86434195a82fc...

bob1029 · 2025-10-15T17:29:23 1760549363

Looks like a line ending problem. RejectsInvalidChunkExtensions seems to be the unit test that covers the actual concern.

philipwhiuk · 2025-10-15T13:14:31 1760534071

This is a dumb way of scoring the bug.

The bug itself doesn't enable any of those. An app using the library might have that vuln.

MattPalmer1086 · 2025-10-15T13:55:12 1760536512

It's a generic problem with using CVSS to score library vulnerabilities. CVSS is designed around complete systems, so it's totally crap to apply it to libraries.

I see a lot of critical (9+) supposed JavaScript "remote code execution with no authentication" CVEs being posted...

Right, if you are running it in an NPM server exposed to malicious user input with no authentication. Actually it runs client side in the browser and at best it's a prototype pollution vuln with a much lower score.

justin66 · 2025-10-15T15:48:51 1760543331

> This is a dumb way of scoring the bug.

The above is a motto for the entire vulnerability industrial complex.

Ekaros · 2025-10-15T13:19:33 1760534373

Score which is based how someone could theoretically use the tool.

It might be right, but it also feels so wrong.

I would in reality probably rank this issue lower. And in some more properly engineered systems it would have lot less criticality.

philipwhiuk · 2025-10-15T13:22:26 1760534546

But:

> someone could theoretically use the tool

makes every single logic error a 9.9