5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-30184

GHSA ID

GHSA-3885-8gqc-3wpf

EPSS Score

0.70154%

CWE

CWE-200

Published

6/14/2022

Updated

2/28/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-30184

CVE-2022-30184: Potential leak of NuGet.org API key

Description

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET Core 3.1, NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0) where a nuget.org api key could leak due to an incorrect comparison with a server url.

Affected software

NuGet & NuGet Packages

Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 6.2.0 version or earlier.
Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 6.0.1 version or earlier.
Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 5.11.1 version or earlier.
Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 5.9.1 version or earlier.
Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 5.7.1 version or earlier.
Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat 4.9.4 version or earlier.

.NET SDK(s)

Any .NET 6.0 application running on .NET 6.0.5 or earlier.
Any .NET 3.1 application running on .NET Core 3.1.25 or earlier.

Patches

If you're using NuGet.exe 6.2.0 or lower, you should download and install 6.2.1 from https://dist.nuget.org/win-x86-commandline/v6.2.1/nuget.exe.
If you're using NuGet.exe 6.0.1 or lower, you should download and install 6.0.2 from https://dist.nuget.org/win-x86-commandline/v6.0.2/nuget.exe.
If you're using NuGet.exe 5.11.1 or lower, you should download and install 5.11.2 from https://dist.nuget.org/win-x86-commandline/v5.11.2/nuget.exe.
If you're using NuGet.exe 5.9.1 or lower, you should download and install 5.9.2 from https://dist.nuget.org/win-x86-commandline/v5.9.2/nuget.exe.
If you're using NuGet.exe 5.7.1 or lower, you should download and install 5.7.2 from https://dist.nuget.org/win-x86-commandline/v4.7.2/nuget.exe.
If you're using NuGet.exe 4.9.4 or lower, you should download and install 4.9.5 from https://dist.nuget.org/win-x86-commandline/v4.9.5/nuget.exe.
If you're using .NET Core 6.0, you should download and install Runtime 6.0.6 or SDK 6.0.106 (for Visual Studio 2022 v17.0) or SDK 6.0.301 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.26 or SDK 3.1.420 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1 ) from https://dotnet.microsoft.com/download/dotnet-core/3.1

.NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/62

MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30184

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-30184

CVE-2022-30184:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-30184

GHSA ID

GHSA-3885-8gqc-3wpf

EPSS Score

0.70154%

CWE

CWE-200

Published

6/14/2022

Updated

2/28/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
NuGet.Commands	nuget	>= 3.5.0, < 4.9.5	4.9.5
NuGet.CommandLine	nuget	>= 3.5.0, < 4.9.5	4.9.5
NuGet.CommandLine.XPlat	nuget	>= 3.5.0, < 4.9.5	4.9.5
NuGet.Commands	nuget	>= 5.0.0, < 5.2.1	5.2.1
NuGet.Commands	nuget	>= 5.3.0, < 5.7.2	5.7.2
NuGet.Commands	nuget	>= 5.8.0, < 5.9.2	5.9.2
NuGet.Commands	nuget	>= 5.10.0, < 5.11.2	5.11.2
NuGet.Commands	nuget	>= 6.0.0, < 6.0.2	6.0.2
NuGet.Commands	nuget	>= 6.1.0, < 6.2.1	6.2.1
NuGet.CommandLine	nuget	>= 5.0.0, < 5.2.1	5.2.1
NuGet.CommandLine	nuget	>= 5.3.0, < 5.7.2	5.7.2
NuGet.CommandLine	nuget	>= 5.8.0, < 5.9.2	5.9.2
NuGet.CommandLine	nuget	>= 5.10.0, < 5.11.2	5.11.2
NuGet.CommandLine	nuget	>= 6.0.0, < 6.0.2	6.0.2
NuGet.CommandLine	nuget	>= 6.1.0, < 6.2.1	6.2.1
NuGet.CommandLine.XPlat	nuget	>= 5.0.0, < 5.2.1	5.2.1
NuGet.CommandLine.XPlat	nuget	>= 5.3.0, < 5.7.2	5.7.2
NuGet.CommandLine.XPlat	nuget	>= 5.8.0, < 5.9.2	5.9.2
NuGet.CommandLine.XPlat	nuget	>= 5.10.0, < 5.11.2	5.11.2
NuGet.CommandLine.XPlat	nuget	>= 6.0.0, < 6.0.2	6.0.2
NuGet.CommandLine.XPlat	nuget	>= 6.1.0, < 6.2.1	6.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The primary vulnerability stemmed from improper URL comparison in CommandRunnerUtility.GetApiKey, where a substring check instead of proper host validation allowed API keys to leak to non-nuget.org domains. The SetApiKeyCommand's automatic symbol server key association was a secondary vector removed in the patch. Both functions were directly modified in the security fix commit (ec6e62a), with the former being the root cause of CVE-2022-30184 as described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-30184: Potential leak of NuGet.org API key

Description

Affected software

NuGet & NuGet Packages

.NET SDK(s)

Patches

Other Details

CVE-2022-30184:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-30184: Potential leak of NuGet.org API key

Description

Affected software

NuGet & NuGet Packages

.NET SDK(s)

Patches

Other Details

Technical Details

5.5

5.5

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI