The Linux.Bluetooth implementation currently depends on Tmds.DBus version 0.20.0, which is affected by the security advisory GHSA-xrw6-gwf8-vvr9.
According to the advisory, this vulnerability has been addressed in version 0.21.3 and later.
Issue
Using an affected version of Tmds.DBus introduces a known vulnerability into projects that consume Linux.Bluetooth, even if the Linux-specific implementation is not actively used at runtime (e.g., in cross-platform .NET MAUI apps).
Proposed Solution
Update the Tmds.DBus dependency from:
0.20.0 → 0.21.3 (or latest stable)
This would ensure that the package no longer includes the vulnerable version and aligns with current security recommendations.
Additional Context
- Advisory: GHSA-xrw6-gwf8-vvr9
- Fixed in:
Tmds.DBus ≥ 0.21.3
- Impact: Security warnings in dependency scanning tools (e.g., GitHub Dependabot,
dotnet list package --vulnerable)
Benefits
- Removes known vulnerability from dependency tree
- Improves security posture for downstream consumers
- Eliminates warnings in CI/CD and security scans
The
Linux.Bluetoothimplementation currently depends on Tmds.DBus version 0.20.0, which is affected by the security advisory GHSA-xrw6-gwf8-vvr9.According to the advisory, this vulnerability has been addressed in version 0.21.3 and later.
Issue
Using an affected version of
Tmds.DBusintroduces a known vulnerability into projects that consumeLinux.Bluetooth, even if the Linux-specific implementation is not actively used at runtime (e.g., in cross-platform .NET MAUI apps).Proposed Solution
Update the
Tmds.DBusdependency from:0.20.0→0.21.3(or latest stable)This would ensure that the package no longer includes the vulnerable version and aligns with current security recommendations.
Additional Context
Tmds.DBus≥ 0.21.3dotnet list package --vulnerable)Benefits