Summary
Directory.Packages.props currently carries a temporary security override that pins the native
SQLitePCLRaw.lib.e_sqlite3 package to 3.50.3. This issue tracks the upstream fixes so we can
remove the override once Microsoft.Data.Sqlite / Microsoft.EntityFrameworkCore.Sqlite ship a
release that pulls a non-vulnerable native SQLite bundle on their own.
Background
Microsoft.Data.Sqlite and Microsoft.EntityFrameworkCore.Sqlite 10.0.9 transitively resolve:
Microsoft.Data.Sqlite (10.0.9) ─┐
├─► SQLitePCLRaw.bundle_e_sqlite3 (2.1.11)
Microsoft.EntityFrameworkCore. │ └─► SQLitePCLRaw.lib.e_sqlite3 (2.1.11) ← SQLite < 3.50.2
Sqlite (10.0.9) ───────────────┘
SQLitePCLRaw.lib.e_sqlite3 <= 2.1.11 bundles a SQLite build affected by
CVE-2025-6965 (High). There is no 2.1.x patch —
the fix is a major bump to SQLitePCLRaw 3.x, which Microsoft.Data.Sqlite 10.0.9 does not reference.
Current override (what to remove later)
In Directory.Packages.props:
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled><PackageVersion Include="SQLitePCLRaw.lib.e_sqlite3" Version="3.50.3" />
This bumps only the native binary to SQLite 3.50.3 (the lib.e_sqlite3 3.50.3 package has no
managed dependencies), keeping the SQLitePCLRaw 2.x managed core that Microsoft.Data.Sqlite 10.0.9 was
built against. It clears CVE-2025-6965 without moving to the SQLitePCLRaw 3.x core.
Upstream tracking
| Repo |
Item |
State |
Notes |
| ericsink/SQLitePCL.raw |
#636 |
Closed |
Fixed in SQLitePCLRaw 3.0; native lib version decoupled. |
| dotnet/efcore |
#38257 — SQLite vulnerabilities |
Open |
Live tracking issue (Microsoft.Data.Sqlite lives in efcore). |
| dotnet/efcore |
PR #38402 |
Merged |
Switches Sqlite packages to a non-vulnerable bundle. Milestone 11.0-preview6. |
ETA: the official fix ships in Microsoft.Data.Sqlite / EF Core 11.0-preview6. No confirmed
10.x / 8.x servicing backport yet.
Done when
Summary
Directory.Packages.propscurrently carries a temporary security override that pins the nativeSQLitePCLRaw.lib.e_sqlite3package to3.50.3. This issue tracks the upstream fixes so we canremove the override once
Microsoft.Data.Sqlite/Microsoft.EntityFrameworkCore.Sqliteship arelease that pulls a non-vulnerable native SQLite bundle on their own.
Background
Microsoft.Data.SqliteandMicrosoft.EntityFrameworkCore.Sqlite10.0.9transitively resolve:SQLitePCLRaw.lib.e_sqlite3 <= 2.1.11bundles a SQLite build affected byCVE-2025-6965 (High). There is no 2.1.x patch —
the fix is a major bump to SQLitePCLRaw 3.x, which
Microsoft.Data.Sqlite10.0.9 does not reference.Current override (what to remove later)
In
Directory.Packages.props:<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled><PackageVersion Include="SQLitePCLRaw.lib.e_sqlite3" Version="3.50.3" />This bumps only the native binary to SQLite 3.50.3 (the
lib.e_sqlite33.50.3 package has nomanaged dependencies), keeping the SQLitePCLRaw 2.x managed core that
Microsoft.Data.Sqlite10.0.9 wasbuilt against. It clears CVE-2025-6965 without moving to the SQLitePCLRaw 3.x core.
Upstream tracking
Microsoft.Data.Sqlitelives in efcore).ETA: the official fix ships in
Microsoft.Data.Sqlite/ EF Core 11.0-preview6. No confirmed10.x / 8.x servicing backport yet.
Done when
Microsoft.Data.Sqlite+Microsoft.EntityFrameworkCore.Sqliteupgraded to a release thattransitively resolves a non-vulnerable native SQLite (>= 3.50.2) on its own.
SQLitePCLRaw.lib.e_sqlite3PackageVersionpin removed fromDirectory.Packages.props.CentralPackageTransitivePinningEnabledremoved if nothing else relies on it.dotnet nuget why <project> SQLitePCLRaw.lib.e_sqlite3re-verified to show a non-vulnerableversion, and the NuGet vulnerability warning is gone.