Hi,
We are using Telerik.Reporting 20.1.26.615 on .NET 10, and our NuGet audit (NU1903) flags a high-severity vulnerability coming from a transitive dependency:
- Package: SQLitePCLRaw.lib.e_sqlite3
- Referenced version: 2.1.11
- Vulnerability: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (memory corruption due to bundled SQLite version < 3.50.2)
This package is pulled in transitively through Telerik.Reporting's own SQLitePCLRaw bundle reference, and as far as we can tell there is currently no published version of SQLitePCLRaw.lib.e_sqlite3 that fixes this CVE.
Could you please clarify:
1. Does Telerik.Reporting actually require SQLite/SQLitePCLRaw at runtime? If it's optional, is there a supported way to remove this dependency entirely from the package graph?
2. Is there a planned update to bump the SQLitePCLRaw reference once a patched version (>= 3.50.2 SQLite core) becomes available?
3. More generally, is there a roadmap to replace or abstract away the SQLite dependency to avoid this kind of recurring transitive vulnerability issue in future releases?
Any guidance would be greatly appreciated.
Thanks in advance.
We are using Telerik.Reporting 20.1.26.615 on .NET 10, and our NuGet audit (NU1903) flags a high-severity vulnerability coming from a transitive dependency:
- Package: SQLitePCLRaw.lib.e_sqlite3
- Referenced version: 2.1.11
- Vulnerability: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (memory corruption due to bundled SQLite version < 3.50.2)
This package is pulled in transitively through Telerik.Reporting's own SQLitePCLRaw bundle reference, and as far as we can tell there is currently no published version of SQLitePCLRaw.lib.e_sqlite3 that fixes this CVE.
Could you please clarify:
1. Does Telerik.Reporting actually require SQLite/SQLitePCLRaw at runtime? If it's optional, is there a supported way to remove this dependency entirely from the package graph?
2. Is there a planned update to bump the SQLitePCLRaw reference once a patched version (>= 3.50.2 SQLite core) becomes available?
3. More generally, is there a roadmap to replace or abstract away the SQLite dependency to avoid this kind of recurring transitive vulnerability issue in future releases?
Any guidance would be greatly appreciated.
Thanks in advance.
