Microsoft.NET.Sdk.Functions includes known vulnerability CVE-2021-26701: ".NET Core Remote Code Execution Vulnerability"

[SamHard]

According to Mend's SCA tool, the latest version of package Microsoft.NET.Sdk.Functions (4.4.0) includes a security vulnerability known as CVE-2021-26701, which is linked to upstream dependency System.Text.Encodings.Web 4.5.0. The issue was resolved in versions 4.5.1, 4.7.2, and 5.0.1.

The complete dependency tree is as follows:

microsoft.net.sdk.functions.4.4.0.nupkg
↓
microsoft.azure.webjobs.extensions.http.3.2.0.nupkg
↓
microsoft.aspnetcore.routing.2.2.2.nupkg
↓
microsoft.aspnetcore.routing.abstractions.2.2.0.nupkg
↓
microsoft.aspnetcore.http.abstractions.2.2.0.nupkg
↓
system.text.encodings.web.4.5.0.nupkg

Package Microsoft.Azure.WebJobs.Extensions.Http is still active, but that depends on the deprecated package Microsoft.AspNetCore.Routing.