{"uuid": "8e836a07-4fc0-46f7-9e7c-77996d3f2b49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6965", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/4b5349eb47a314e28ccf4c7cb11b0292", "content": "# Step 3 - Document the SQLite3MC breaking change (EF Core 10)\n\nMirrors [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385), applied to the **EF Core 10.0** breaking-changes doc on the `preview.6` branch instead of the 11.0 doc.\n\n**Target file:** `entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md`\n\n## How this differs from PR #5385\n\nPR #5385 targets the EF Core **11.0** doc, which already contains the SQLitePCLRaw-3.0 \"bundles removed\" / \"encryption removed\" sections. The 10.0 doc has a **dedicated `## Microsoft.Data.Sqlite breaking changes` section** (with its own Summary + High-impact subsections) and none of those 11.0-only sections. So this backport:\n\n- Adds the entry under a new `### Low-impact changes` subsection **inside the Microsoft.Data.Sqlite section** (not the top-level Low-impact section).\n- Adds the summary row to the **Microsoft.Data.Sqlite Summary table**.\n- Drops PR #5385's cross-links to `#sqlite-encryption-removed` / `#sqlite-bundles-removed` (they don't exist on 10.0) and instead names the delayed SQLite CVEs directly.\n- Uses `10.0.0` package versions instead of `11.0.0`.\n- Omits PR #5385's 11.0-only edits (encryption-mitigation-list reorder, `bundle_e_sqlite3mc` -> `SQLite3MC.PCLRaw.bundle` migration note, and the relative-link/doc-validation fixes), none of which have a counterpart on 10.0.\n\n## Code diff\n\n````diff\ndiff --git a/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md b/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md\nindex 7bd3139c43..0f35dffb0b 100644\n--- a/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md\n+++ b/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md\n@@ -2,7 +2,7 @@\n title: Breaking changes in EF Core 10 (EF10) - EF Core\n description: List of breaking changes introduced in Entity Framework Core 10 (EF10)\n author: roji\n-ms.date: 10/09/2025\n+ms.date: 06/26/2026\n uid: core/what-is-new/ef-core-10.0/breaking-changes\n ---\n \n@@ -470,6 +470,7 @@ The `logCommandText` parameter contains the SQL to be logged (with inlined const\n | [Using GetDateTimeOffset without an offset now assumes UTC](#DateTimeOffset-read) | High |\n | [Writing DateTimeOffset into REAL column now writes in UTC](#DateTimeOffset-write) | High |\n | [Using GetDateTime with an offset now returns value in UTC](#DateTime-read) | High |\n+| [Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers](#sqlite3mc) | Low |\n \n ### High-impact changes\n \n@@ -556,3 +557,58 @@ As a last/temporary resort, you can revert to previous behavior by setting `Micr\n ```C#\n AppContext.SetSwitch(\"Microsoft.Data.Sqlite.Pre10TimeZoneHandling\", isEnabled: true);\n ```\n+\n+### Low-impact changes\n+\n+\n+\n+#### Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers\n+\n+[Tracking PR dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402)\n+\n+##### Old behavior\n+\n+The `Microsoft.Data.Sqlite` package referenced `SQLitePCLRaw.bundle_e_sqlite3`, which provides the standard `e_sqlite3` native SQLite build. This build has no encryption support, so setting a password (for example, via `SqliteConnectionStringBuilder.Password` or the `Password` connection-string keyword) failed at runtime.\n+\n+##### New behavior\n+\n+Starting with `Microsoft.Data.Sqlite` 10.0, the package references `SQLite3MC.PCLRaw.bundle`, which provides the `e_sqlite3mc` native build ([SQLite3 Multiple Ciphers](https://github.com/utelle/SQLite3MultipleCiphers)). This build receives updates on NuGet.org more promptly than `SQLitePCLRaw.bundle_e_sqlite3`.\n+\n+As an added bonus, encryption (including setting a password) now works out of the box. See the [SQLite3 Multiple Ciphers documentation](https://github.com/utelle/SQLite3MultipleCiphers-NuGet#passphrase-based-database-encryption-support) for details on enabling passphrase-based database encryption.\n+\n+This change also applies to the EF Core SQLite provider (`Microsoft.EntityFrameworkCore.Sqlite`), which references `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n+\n+##### Why\n+\n+The primary reason for the switch is maintenance and security: new versions of the `e_sqlite3` native build are no longer published to NuGet.org through `SQLitePCLRaw.bundle_e_sqlite3` in a timely manner, which means security fixes in upstream SQLite can be delayed (for example, CVE-2025-6965 and CVE-2025-70873). SQLite3 Multiple Ciphers is an actively maintained project that tracks upstream SQLite releases and ships updated builds promptly, so it was adopted as the default native build for `Microsoft.Data.Sqlite`. As an added bonus, it also supports encryption.\n+\n+##### Mitigations\n+\n+For most applications, **no action is required**. SQLite3 Multiple Ciphers is a superset of SQLite that behaves identically to the standard build for unencrypted databases\u2014it only applies encryption when you explicitly supply a key or password. Existing unencrypted databases continue to open and work unchanged.\n+\n+Review the following cases, which may require action in some applications:\n+\n+- **Direct `SQLitePCLRaw.bundle_e_sqlite3` reference.** If your application directly references `SQLitePCLRaw.bundle_e_sqlite3`, it conflicts with the new `SQLite3MC.PCLRaw.bundle` dependency brought in by `Microsoft.Data.Sqlite` (or `Microsoft.EntityFrameworkCore.Sqlite`). Remove the direct `SQLitePCLRaw.bundle_e_sqlite3` reference unless you intentionally switch to the `.Core` packages shown below.\n+\n+- **Native library and provider name change.** The bundled native library is now `e_sqlite3mc` (rather than `e_sqlite3`), and the provider initialized by the bundle is `SQLite3Provider_e_sqlite3mc`. This matters if your application:\n+ - References a specific native asset filename (for example, `e_sqlite3`) in publishing, trimming, AOT, or single-file configuration. Update those references to `e_sqlite3mc`.\n+\n+- **Platform (RID) coverage.** SQLite3 Multiple Ciphers doesn't currently include native binaries for every runtime identifier covered by `SourceGear.sqlite3`; for example, `linux-riscv64`, `linux-musl-riscv64`, and `linux-musl-s390x` aren't included. If you target a platform that the new bundle doesn't include, the native library may fail to load at runtime. In that case, revert to the standard build using the package references below.\n+\n+- **Reserved encryption keywords.** SQLite3 Multiple Ciphers reserves certain connection-string/URI parameters and PRAGMAs (such as `key`, `hexkey`, and `cipher`) for encryption configuration. This is unlikely to affect typical applications, but if you happened to use these names for unrelated purposes, behavior may differ.\n+\n+- **Double-quoted string literal support.** `e_sqlite3mc` doesn't include SQLite's legacy support for double-quoted string literals. If your SQL uses double quotes for string values, change it to use single quotes; double quotes should be used only for identifiers. Review raw SQL in your application (for example, SQL passed to `FromSql`, `ExecuteSql`, or migrations operations), and use SQL logging or integration tests to identify affected commands.\n+\n+If you want to keep using the standard, non-encrypted `e_sqlite3` build, reference `Microsoft.Data.Sqlite.Core` together with `SQLitePCLRaw.bundle_e_sqlite3` instead of the `Microsoft.Data.Sqlite` meta-package:\n+\n+```xml\n+\n+\n+```\n+\n+For EF Core, reference `Microsoft.EntityFrameworkCore.Sqlite.Core` instead of `Microsoft.EntityFrameworkCore.Sqlite` and add the standard bundle:\n+\n+```xml\n+\n+\n+```\n````\n\n## Draft pull request\n\n### Title\n\n```\nDocument Microsoft.Data.Sqlite SQLite3MC breaking change (EF Core 10)\n```\n\n### Description\n\nDocuments the EF Core 10 `Microsoft.Data.Sqlite` switch from `SQLitePCLRaw.bundle_e_sqlite3` to `SQLite3MC.PCLRaw.bundle` (backport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402), with prerequisite [dotnet/efcore#36551](https://github.com/dotnet/efcore/pull/36551)), including the security-update rationale and user-visible compatibility risks. Mirrors [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385), which documented the same change for EF Core 11.\n\n- **Breaking change entry**\n - Adds a low-impact Microsoft.Data.Sqlite breaking change for the new `e_sqlite3mc` native bundle, placed under the dedicated `## Microsoft.Data.Sqlite breaking changes` section of the EF Core 10 doc.\n - Adds the corresponding row to the Microsoft.Data.Sqlite Summary table.\n - Clarifies that `Microsoft.EntityFrameworkCore.Sqlite` also references `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n- **User guidance**\n - Links to SQLite3MC passphrase-based encryption documentation.\n - Documents cases that may require action: direct `SQLitePCLRaw.bundle_e_sqlite3` references that conflict with the new dependency, native asset name changes (`e_sqlite3` -> `e_sqlite3mc`), specific RID coverage gaps, reserved encryption keywords, and missing legacy double-quoted string literal support.\n - Names the delayed upstream SQLite CVEs (CVE-2025-6965, CVE-2025-70873) as the security rationale.\n - Provides fallback guidance for apps that need the standard `e_sqlite3` build:\n\n ```xml\n \n \n ```\n\n - Provides EF Core fallback guidance using `Microsoft.EntityFrameworkCore.Sqlite.Core`:\n\n ```xml\n \n \n ```\n", "creation_timestamp": "2026-06-26T21:43:25.948580Z"}