How severe is GHSA-8fh9-c4jq-94h4?

GHSA-8fh9-c4jq-94h4 has a CVSS score of 7.5/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-8fh9-c4jq-94h4?

GHSA-8fh9-c4jq-94h4 affects the following packages: idunno.AtProto (NuGet), idunno.AtProto.OAuthCallback (NuGet), idunno.Bluesky (NuGet). Ecosystems affected: NuGet.

How do I fix GHSA-8fh9-c4jq-94h4?

Update idunno.AtProto to 1.7.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8fh9-c4jq-94h4 is resolved across your whole dependency graph.

How do I detect GHSA-8fh9-c4jq-94h4 in my NuGet dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for idunno.AtProto. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-8fh9-c4jq-94h4 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-8fh9-c4jq-94h4?

O3 pinpoints whether GHSA-8fh9-c4jq-94h4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-8fh9-c4jq-94h4 actively exploited in the wild?

No public exploit code has been indexed for GHSA-8fh9-c4jq-94h4 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-8fh9-c4jq-94h4 published, and has it been updated?

GHSA-8fh9-c4jq-94h4 was published on March 13, 2026 and was last updated on March 13, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

.NET NuGet

GHSA-8fh9-c4jq-94h4

HIGH

idunno.Bluesky, idunno.AtProto and idunno.AtProto.OAuthCallback Denial of Service Vulnerability

Published

Mar 13, 2026

Updated

Mar 13, 2026

Affected

3 pkgs

Patched

3 / 3

Exploits

None indexed

Blast Radius

3 pkgs affected

.NETidunno.AtProto.NETidunno.AtProto.OAuthCallback.NETidunno.Bluesky

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.

Description

idunno.Bluesky, idunno.AtProto and idunno.AtProto.OAuthCallback Denial of Service Vulnerability

Impact

The Microsoft.Bcl.Memory package, a transitive dependency of idunno.AtProto and idunno.AtProto.OAuthCallback had a Denial of Service security vulnerability, CVE-2026-26127

Patches

v1.7.0 updates the dependencies on Duende.IdentityModel.OidcClient and Duende.IdentityModel.OidcClient.Extensions which, in turn, updates their dependency on Microsoft.Bcl.Memory to 10.0.4, resolving the vulnerability.

Workarounds

No workarounds exist for this vulnerability.

How to fix the issue

To update your dependencies on idunno.Bluesky, idunno.AtProto and idunno.AtProto.OAuthCallback,

Using the .NET CLI (Command Line Interface):

Open a terminal or command prompt in your project's directory.
To update a specific package to its latest version, use the following add package command:
- If you are using idunno.Bluesky dotnet package update idunno.Bluesky
- If you are using idunno.AtProto as a direct dependency dotnet package update idunno.AtProto
- If you are using idunno.AtProto.OAuthCallback as a direct dependency dotnet package update idunno.AtProto.OAuthCallback

Using the NuGet Package Manager Console in Visual Studio:

Open your project in Visual Studio.
Navigate to "Tools > NuGet Package Manager > Package Manager Console".
To update a specific package to its latest version, use the following Update-Package command:
- If you are using idunno.Bluesky Update-Package -Id idunno.Bluesky
- If you are using idunno.AtProto as a direct dependency Update-Package -Id idunno.AtProto
- If you are using idunno.AtProto.OAuthCallback as a direct dependency Update-Package -Id idunno.AtProto.OAuthCallback

NuGet Package Manager UI in Visual Studio:

Open your project in Visual Studio.
Right-click on your project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages".
In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from your configured package sources.
Select the package(s) you wish to update. You can choose a specific version from the dropdown or update to the latest available version.
Click the "Update" button.

References

Affected Packages

3 total 3 fixed

Ecosystem	Package	Vulnerable range	Fix
.NETNuGet	`idunno.AtProto`	all versions	1.7.0
.NETNuGet	`idunno.AtProto.OAuthCallback`	all versions	1.7.0
.NETNuGet	`idunno.Bluesky`	all versions	1.7.0

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for idunno.AtProto. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update idunno.AtProto to 1.7.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8fh9-c4jq-94h4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8fh9-c4jq-94h4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-8fh9-c4jq-94h4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# idunno.Bluesky, idunno.AtProto and idunno.AtProto.OAuthCallback Denial of Service Vulnerability ## Impact The `Microsoft.Bcl.Memory` package, a transitive dependency of `idunno.AtProto` and `idunno.AtProto.OAuthCallback` had a Denial of Service security vulnerability, [CVE-2026-26127](https://github.com/dotnet/announcements/issues/384) ## Patches v1.7.0 updates the dependencies on `Duende.IdentityModel.OidcClient` and `Duende.IdentityModel.OidcClient.Extensions` which, in turn, updates their dependency on `Microsoft.Bcl.Memory` to 10.0.4, resolving the vulnerability. ## Workarounds No

O3 Security · Impact-Aware SCA

Is GHSA-8fh9-c4jq-94h4 in your dependencies?

O3 detects GHSA-8fh9-c4jq-94h4 across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-8fh9-c4jq-94h4

Blast Radius

Description

idunno.Bluesky, idunno.AtProto and idunno.AtProto.OAuthCallback Denial of Service Vulnerability

Impact

Patches

Workarounds

How to fix the issue

Using the .NET CLI (Command Line Interface):

Using the NuGet Package Manager Console in Visual Studio:

NuGet Package Manager UI in Visual Studio:

References

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-8fh9-c4jq-94h4 in your dependencies?