ABP 9.2.3 - Transitive MessagePack NuGet package is vulnerable

[jucchytil]

Is there an existing issue for this?

• I have searched the existing issues

Description

Blazor Server Side 9.2.3 has a transitive NuGet package reference to vulnerable MessagePack 2.2.85.

GHSA-4qm4-8hg2-g2xm
MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow
CVE-2024-48924

Volo.Abp.Studio.CLient.AspNetCore (1.1.2) -> Volo.Abp.Studio.Client (1.1.2) -> MagicOnion.Client (5.1.8) -> MagicOnion.Shared (5.1.8) -> MagicOnion.Abstractions (5.1.8) -> MessagePack (2.2.85)

The latest version of MessagePack is 3.1.4.

Can the template be updated to reference the most recent version of MessagePack?

Reproduction Steps

See description above

Expected behavior

See description above

Actual behavior

See description above

Regression?

See description above

Known Workarounds

See description above

Version

9.2.3 (9.3 as well)

User Interface

Blazor Server

Database Provider

EF Core (Default)

Tiered or separate authentication server

None (Default)

Operation System

Windows (Default)

Other information

See description above

[berkansasmaz]

This issue has been resolved in the ABP Studio's internal repository, so I am closing it.