Overview

In early 2025, the .NET team released an out-of-band (OOB) update—version 10.0.7—for the ASP.NET Core Data Protection library. This urgent patch addresses a security vulnerability tied to CVE-2026-40372, which was discovered after some customers reported decryption errors in production applications. The root cause was a regression introduced in the Microsoft.AspNetCore.DataProtection NuGet package that caused the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of a payload and then discard the computed hash entirely. This flaw could allow an attacker to elevate privileges under certain conditions.

This guide walks you through everything you need to know about the vulnerability, how to update your projects, and how to avoid common missteps when applying this critical fix.

Prerequisites

Before you start, make sure you have the following:

• A .NET 10.0 project that uses ASP.NET Core Data Protection (e.g., cookie authentication, CSRF tokens, or any encrypted state).
• Access to the NuGet package source (either nuget.org or an internal feed that has version 10.0.7 of Microsoft.AspNetCore.DataProtection).
• The .NET SDK (version 10.0 or later) installed on your development machine or build server.
• Administrative or write permissions to modify your project files and install packages.

Step-by-Step Instructions

1. Check Your Current Data Protection Version

First, identify which version of the Microsoft.AspNetCore.DataProtection package your project currently references. You can do this by examining your .csproj file or using the dotnet CLI:

dotnet list package --include-transitive | findstr DataProtection

If you see version 10.0.0 through 10.0.6, you are affected. Version 10.0.7 contains the fix.

2. Update the Data Protection Package

The easiest way to apply the update is to modify the package reference in your .csproj file. Open the file and change the PackageReference for Microsoft.AspNetCore.DataProtection:

<PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="10.0.7" />

Alternatively, use the following command in your project directory:

dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7

Repeat this for any other packages that depend on Data Protection (like Microsoft.AspNetCore.DataProtection.Abstractions or Microsoft.AspNetCore.DataProtection.Extensions) to keep them consistent.

3. Update the .NET SDK and Runtime

While the package update is the critical step, it’s also good practice to install the latest .NET 10.0.7 SDK or Runtime to ensure your whole environment is patched. Download the installer from the official download page. After installation, verify the version:

dotnet --info

Look for the line that says .NET SDK: 10.0.7. If you see a different version, you may need to restart your terminal or confirm the installation succeeded.

4. Rebuild and Redeploy Your Application

Once the packages and SDK are updated, rebuild your application:

dotnet build --configuration Release

Then, redeploy the updated binaries to your staging or production environment. If you use Docker containers, rebuild your images using a base image that includes .NET 10.0.7 (e.g., mcr.microsoft.com/dotnet/aspnet:10.0.7).

5. Verify the Fix

After redeployment, run your test suite—especially any tests related to encryption/decryption of cookies or tokens. Without a specific exploit test, you can confirm the fix is active by checking that decryption no longer fails. You should also validate that your application behaves correctly under load. If you experience any new issues, report them in the ASP.NET Core issue tracker.

Common Mistakes

Updating Only One Project in a Multi-Project Solution

If your solution contains multiple projects that reference Data Protection (e.g., a web app and a class library), you must update all of them. Otherwise, the older version may be pulled in transitively, leaving the vulnerability unpatched. Use dotnet list package --include-transitive to find all affected projects.

Forgetting to Redeploy After Updating Packages

Applying the package update locally but failing to rebuild and redeploy means the fix never reaches production. Always follow the build-and-deploy cycle after a security patch.

Ignoring Transitive Dependencies

Some packages may depend on an older version of Microsoft.AspNetCore.DataProtection. If you only update the top-level reference, your build could still use an older version if a transitive reference overrides it. Check your lock file (packages.lock.json) or use dotnet list package --include-transitive to ensure all resolved versions are 10.0.7.

Overlooking Container Images

If you use Docker, the base image must also be updated. Simply updating the NuGet package isn’t enough if the runtime inside the container is still 10.0.6. Rebuild your Dockerfile with FROM mcr.microsoft.com/dotnet/aspnet:10.0.7 and push the new images.

Summary

The .NET 10.0.7 out-of-band update is a critical security fix for a vulnerability in ASP.NET Core Data Protection that could lead to privilege escalation. By following the steps above—checking your current version, updating the package, installing the latest SDK, and redeploying—you can protect your applications. The key takeaway: act quickly, update all projects and containers, and verify the change. For further details, consult the official release notes.