[Solved] Telerik.Reporting 20.1.26.615 transitively references vulnerable/deprecated SQLitePCLRaw.lib.e_sqlite3 2.1.11 (CVE-2025-6965) - any plan to update or remove this dependency?

1 Answer 2 Views
Programming Security
Gianni
Top achievements
Rank 1
Gianni asked on 30 Jun 2026, 12:07 PM
Hi,

We are using Telerik.Reporting 20.1.26.615 on .NET 10, and our NuGet audit (NU1903) flags a high-severity vulnerability coming from a transitive dependency:

- Package: SQLitePCLRaw.lib.e_sqlite3
- Referenced version: 2.1.11
- Vulnerability: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (memory corruption due to bundled SQLite version < 3.50.2)

This package is pulled in transitively through Telerik.Reporting's own SQLitePCLRaw bundle reference, and as far as we can tell there is currently no published version of SQLitePCLRaw.lib.e_sqlite3 that fixes this CVE.

Could you please clarify:

1. Does Telerik.Reporting actually require SQLite/SQLitePCLRaw at runtime? If it's optional, is there a supported way to remove this dependency entirely from the package graph?
2. Is there a planned update to bump the SQLitePCLRaw reference once a patched version (>= 3.50.2 SQLite core) becomes available?
3. More generally, is there a roadmap to replace or abstract away the SQLite dependency to avoid this kind of recurring transitive vulnerability issue in future releases?

Any guidance would be greatly appreciated.

Thanks in advance.

1 Answer, 1 is accepted

Sort by
0
Lance | Senior Manager Technical Support
Telerik team
answered on 30 Jun 2026, 12:21 PM

Hello Gianni,

Thank you for reaching out to us. I can confirm that we are aware of the issue related to the deprecated SQLitePCLRaw.lib.e_sqlite3 dependency and are currently working on addressing it. Please take a moment to read this KB:

The issue with SQLitePCLRaw.lib.e_sqlite3 is that it relies on SQLite version 3.49.1, which has known vulnerabilities.   According to the package description, SourceGear.sqlite3 is listed as a possible replacement. In our initial tests, adding a reference to SourceGear.sqlite3 replaced the vulnerable SQLite version by bringing in a newer SQLite version, and we did not observe any visible side effects. Still, it is possible this may not work for all scenarios.

A couple important things to note

  • We have not identified an exploitable vector related to this dependency in the context of Telerik Reporting
  • We are planning to address the underlying dependency as part of the Q2 service pack release (scheduled for this week).

So that we can keep everyone informed in a single location, can you please follow this June 22 forum thread, as it is where we will be posting further updates.

In the meantime, thank you for your patience and understanding.

Regards,
Lance | Senior Manager Technical Support
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Tags
Programming Security
Asked by
Gianni
Top achievements
Rank 1
Answers by
Lance | Senior Manager Technical Support
Telerik team
Share this question
or