Securing Your .NET Applications: A Guide to the 10.0.7 Out-of-Band Data Protection Update
<h2 id="overview">Overview</h2>
<p>In early 2025, the .NET team released an out-of-band (OOB) update—version 10.0.7—for the ASP.NET Core Data Protection library. This urgent patch addresses a security vulnerability tied to CVE-2026-40372, which was discovered after some customers reported decryption errors in production applications. The root cause was a regression introduced in the <code>Microsoft.AspNetCore.DataProtection</code> NuGet package that caused the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of a payload and then discard the computed hash entirely. This flaw could allow an attacker to elevate privileges under certain conditions.</p><figure style="margin:20px 0"><img src="https://devblogs.microsoft.com/dotnet/wp-content/uploads/sites/10/2026/04/thumbnail-1776800944887.webp" alt="Securing Your .NET Applications: A Guide to the 10.0.7 Out-of-Band Data Protection Update" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure>
<p>This guide walks you through everything you need to know about the vulnerability, how to update your projects, and how to avoid common missteps when applying this critical fix.</p>
<h2 id="prerequisites">Prerequisites</h2>
<p>Before you start, make sure you have the following:</p>
<ul>
<li><strong>A .NET 10.0 project</strong> that uses ASP.NET Core Data Protection (e.g., cookie authentication, CSRF tokens, or any encrypted state).</li>
<li><strong>Access to the NuGet package source</strong> (either nuget.org or an internal feed that has version 10.0.7 of <code>Microsoft.AspNetCore.DataProtection</code>).</li>
<li><strong>The .NET SDK</strong> (version 10.0 or later) installed on your development machine or build server.</li>
<li><strong>Administrative or write permissions</strong> to modify your project files and install packages.</li>
</ul>
<h2 id="step-by-step">Step-by-Step Instructions</h2>
<h3>1. Check Your Current Data Protection Version</h3>
<p>First, identify which version of the <code>Microsoft.AspNetCore.DataProtection</code> package your project currently references. You can do this by examining your <code>.csproj</code> file or using the dotnet CLI:</p>
<pre><code>dotnet list package --include-transitive | findstr DataProtection</code></pre>
<p>If you see version <code>10.0.0</code> through <code>10.0.6</code>, you are affected. Version <code>10.0.7</code> contains the fix.</p>
<h3>2. Update the Data Protection Package</h3>
<p>The easiest way to apply the update is to modify the package reference in your <code>.csproj</code> file. Open the file and change the <code>PackageReference</code> for <code>Microsoft.AspNetCore.DataProtection</code>:</p>
<pre><code><PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="10.0.7" /></code></pre>
<p>Alternatively, use the following command in your project directory:</p>
<pre><code>dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7</code></pre>
<p>Repeat this for any other packages that depend on Data Protection (like <code>Microsoft.AspNetCore.DataProtection.Abstractions</code> or <code>Microsoft.AspNetCore.DataProtection.Extensions</code>) to keep them consistent.</p>
<h3>3. Update the .NET SDK and Runtime</h3>
<p>While the package update is the critical step, it’s also good practice to install the latest .NET 10.0.7 SDK or Runtime to ensure your whole environment is patched. Download the installer from the <a href="https://dotnet.microsoft.com/download/dotnet/10.0" rel="nofollow">official download page</a>. After installation, verify the version:</p>
<pre><code>dotnet --info</code></pre>
<p>Look for the line that says <code>.NET SDK: 10.0.7</code>. If you see a different version, you may need to restart your terminal or confirm the installation succeeded.</p>
<h3>4. Rebuild and Redeploy Your Application</h3>
<p>Once the packages and SDK are updated, rebuild your application:</p>
<pre><code>dotnet build --configuration Release</code></pre>
<p>Then, redeploy the updated binaries to your staging or production environment. If you use Docker containers, rebuild your images using a base image that includes .NET 10.0.7 (e.g., <code>mcr.microsoft.com/dotnet/aspnet:10.0.7</code>).</p><figure style="margin:20px 0"><img src="https://uhf.microsoft.com/images/microsoft/RE1Mu3b.png" alt="Securing Your .NET Applications: A Guide to the 10.0.7 Out-of-Band Data Protection Update" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure>
<h3>5. Verify the Fix</h3>
<p>After redeployment, run your test suite—especially any tests related to encryption/decryption of cookies or tokens. Without a specific exploit test, you can confirm the fix is active by checking that decryption no longer fails. You should also validate that your application behaves correctly under load. If you experience any new issues, report them in the <a href="https://github.com/dotnet/aspnetcore/issues" rel="nofollow">ASP.NET Core issue tracker</a>.</p>
<h2 id="common-mistakes">Common Mistakes</h2>
<h3>Updating Only One Project in a Multi-Project Solution</h3>
<p>If your solution contains multiple projects that reference Data Protection (e.g., a web app and a class library), you must update all of them. Otherwise, the older version may be pulled in transitively, leaving the vulnerability unpatched. Use <code>dotnet list package --include-transitive</code> to find all affected projects.</p>
<h3>Forgetting to Redeploy After Updating Packages</h3>
<p>Applying the package update locally but failing to rebuild and redeploy means the fix never reaches production. Always follow the build-and-deploy cycle after a security patch.</p>
<h3>Ignoring Transitive Dependencies</h3>
<p>Some packages may depend on an older version of <code>Microsoft.AspNetCore.DataProtection</code>. If you only update the top-level reference, your build could still use an older version if a transitive reference overrides it. Check your lock file (<code>packages.lock.json</code>) or use <code>dotnet list package --include-transitive</code> to ensure all resolved versions are 10.0.7.</p>
<h3>Overlooking Container Images</h3>
<p>If you use Docker, the base image must also be updated. Simply updating the NuGet package isn’t enough if the runtime inside the container is still 10.0.6. Rebuild your Dockerfile with <code>FROM mcr.microsoft.com/dotnet/aspnet:10.0.7</code> and push the new images.</p>
<h2 id="summary">Summary</h2>
<p>The .NET 10.0.7 out-of-band update is a critical security fix for a vulnerability in ASP.NET Core Data Protection that could lead to privilege escalation. By following the steps above—checking your current version, updating the package, installing the latest SDK, and redeploying—you can protect your applications. The key takeaway: act quickly, update all projects and containers, and verify the change. For further details, consult the official <a href="https://github.com/dotnet/aspnetcore/releases/tag/v10.0.7" rel="nofollow">release notes</a>.</p>
Tags: