{"vulnerability": "cve-2025-7087", "sightings": [{"uuid": "6a43fc5f-96d1-424d-a869-7ea08a111744", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-7087", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3ltd2pwjydh2r", "content": "", "creation_timestamp": "2025-07-06T19:59:55.881675Z"}, {"uuid": "5724a3ca-2cb0-4a97-ac9b-94694a4d3db6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054", "content": "", "creation_timestamp": "2026-02-20T02:57:12.000000Z"}, {"uuid": "a095bb94-48a6-41d1-b618-d7a759505350", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70872", "type": "seen", "source": "https://gist.github.com/cnwangjihe/7bb28e7c721cbe552155acb66e02d3c5", "content": "", "creation_timestamp": "2026-03-11T16:42:38.000000Z"}, {"uuid": "537017e3-e046-40e1-a746-d8238511b690", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=1923", "content": "", "creation_timestamp": "2026-06-16T21:00:00.000000Z"}, {"uuid": "bde7c3a7-5618-4d70-93d1-efbb407abbc6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://www.acn.gov.it/portale/w/critical-patch-update-di-oracle-8", "content": "", "creation_timestamp": "2026-06-17T05:31:59.000000Z"}, {"uuid": "026fdd65-3602-4bd0-ba54-b3f735a857bc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/4b5349eb47a314e28ccf4c7cb11b0292", "content": "# Step 3 - Document the SQLite3MC breaking change (EF Core 10)\n\nMirrors [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385), applied to the **EF Core 10.0** breaking-changes doc on the `preview.6` branch instead of the 11.0 doc.\n\n**Target file:** `entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md`\n\n## How this differs from PR #5385\n\nPR #5385 targets the EF Core **11.0** doc, which already contains the SQLitePCLRaw-3.0 \"bundles removed\" / \"encryption removed\" sections. The 10.0 doc has a **dedicated `## Microsoft.Data.Sqlite breaking changes` section** (with its own Summary + High-impact subsections) and none of those 11.0-only sections. So this backport:\n\n- Adds the entry under a new `### Low-impact changes` subsection **inside the Microsoft.Data.Sqlite section** (not the top-level Low-impact section).\n- Adds the summary row to the **Microsoft.Data.Sqlite Summary table**.\n- Drops PR #5385's cross-links to `#sqlite-encryption-removed` / `#sqlite-bundles-removed` (they don't exist on 10.0) and instead names the delayed SQLite CVEs directly.\n- Uses `10.0.0` package versions instead of `11.0.0`.\n- Omits PR #5385's 11.0-only edits (encryption-mitigation-list reorder, `bundle_e_sqlite3mc` -> `SQLite3MC.PCLRaw.bundle` migration note, and the relative-link/doc-validation fixes), none of which have a counterpart on 10.0.\n\n## Code diff\n\n````diff\ndiff --git a/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md b/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md\nindex 7bd3139c43..0f35dffb0b 100644\n--- a/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md\n+++ b/entity-framework/core/what-is-new/ef-core-10.0/breaking-changes.md\n@@ -2,7 +2,7 @@\n title: Breaking changes in EF Core 10 (EF10) - EF Core\n description: List of breaking changes introduced in Entity Framework Core 10 (EF10)\n author: roji\n-ms.date: 10/09/2025\n+ms.date: 06/26/2026\n uid: core/what-is-new/ef-core-10.0/breaking-changes\n ---\n \n@@ -470,6 +470,7 @@ The `logCommandText` parameter contains the SQL to be logged (with inlined const\n | [Using GetDateTimeOffset without an offset now assumes UTC](#DateTimeOffset-read) | High |\n | [Writing DateTimeOffset into REAL column now writes in UTC](#DateTimeOffset-write) | High |\n | [Using GetDateTime with an offset now returns value in UTC](#DateTime-read) | High |\n+| [Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers](#sqlite3mc) | Low |\n \n ### High-impact changes\n \n@@ -556,3 +557,58 @@ As a last/temporary resort, you can revert to previous behavior by setting `Micr\n ```C#\n AppContext.SetSwitch(\"Microsoft.Data.Sqlite.Pre10TimeZoneHandling\", isEnabled: true);\n ```\n+\n+### Low-impact changes\n+\n+\n+\n+#### Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers\n+\n+[Tracking PR dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402)\n+\n+##### Old behavior\n+\n+The `Microsoft.Data.Sqlite` package referenced `SQLitePCLRaw.bundle_e_sqlite3`, which provides the standard `e_sqlite3` native SQLite build. This build has no encryption support, so setting a password (for example, via `SqliteConnectionStringBuilder.Password` or the `Password` connection-string keyword) failed at runtime.\n+\n+##### New behavior\n+\n+Starting with `Microsoft.Data.Sqlite` 10.0, the package references `SQLite3MC.PCLRaw.bundle`, which provides the `e_sqlite3mc` native build ([SQLite3 Multiple Ciphers](https://github.com/utelle/SQLite3MultipleCiphers)). This build receives updates on NuGet.org more promptly than `SQLitePCLRaw.bundle_e_sqlite3`.\n+\n+As an added bonus, encryption (including setting a password) now works out of the box. See the [SQLite3 Multiple Ciphers documentation](https://github.com/utelle/SQLite3MultipleCiphers-NuGet#passphrase-based-database-encryption-support) for details on enabling passphrase-based database encryption.\n+\n+This change also applies to the EF Core SQLite provider (`Microsoft.EntityFrameworkCore.Sqlite`), which references `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n+\n+##### Why\n+\n+The primary reason for the switch is maintenance and security: new versions of the `e_sqlite3` native build are no longer published to NuGet.org through `SQLitePCLRaw.bundle_e_sqlite3` in a timely manner, which means security fixes in upstream SQLite can be delayed (for example, CVE-2025-6965 and CVE-2025-70873). SQLite3 Multiple Ciphers is an actively maintained project that tracks upstream SQLite releases and ships updated builds promptly, so it was adopted as the default native build for `Microsoft.Data.Sqlite`. As an added bonus, it also supports encryption.\n+\n+##### Mitigations\n+\n+For most applications, **no action is required**. SQLite3 Multiple Ciphers is a superset of SQLite that behaves identically to the standard build for unencrypted databases\u2014it only applies encryption when you explicitly supply a key or password. Existing unencrypted databases continue to open and work unchanged.\n+\n+Review the following cases, which may require action in some applications:\n+\n+- **Direct `SQLitePCLRaw.bundle_e_sqlite3` reference.** If your application directly references `SQLitePCLRaw.bundle_e_sqlite3`, it conflicts with the new `SQLite3MC.PCLRaw.bundle` dependency brought in by `Microsoft.Data.Sqlite` (or `Microsoft.EntityFrameworkCore.Sqlite`). Remove the direct `SQLitePCLRaw.bundle_e_sqlite3` reference unless you intentionally switch to the `.Core` packages shown below.\n+\n+- **Native library and provider name change.** The bundled native library is now `e_sqlite3mc` (rather than `e_sqlite3`), and the provider initialized by the bundle is `SQLite3Provider_e_sqlite3mc`. This matters if your application:\n+ - References a specific native asset filename (for example, `e_sqlite3`) in publishing, trimming, AOT, or single-file configuration. Update those references to `e_sqlite3mc`.\n+\n+- **Platform (RID) coverage.** SQLite3 Multiple Ciphers doesn't currently include native binaries for every runtime identifier covered by `SourceGear.sqlite3`; for example, `linux-riscv64`, `linux-musl-riscv64`, and `linux-musl-s390x` aren't included. If you target a platform that the new bundle doesn't include, the native library may fail to load at runtime. In that case, revert to the standard build using the package references below.\n+\n+- **Reserved encryption keywords.** SQLite3 Multiple Ciphers reserves certain connection-string/URI parameters and PRAGMAs (such as `key`, `hexkey`, and `cipher`) for encryption configuration. This is unlikely to affect typical applications, but if you happened to use these names for unrelated purposes, behavior may differ.\n+\n+- **Double-quoted string literal support.** `e_sqlite3mc` doesn't include SQLite's legacy support for double-quoted string literals. If your SQL uses double quotes for string values, change it to use single quotes; double quotes should be used only for identifiers. Review raw SQL in your application (for example, SQL passed to `FromSql`, `ExecuteSql`, or migrations operations), and use SQL logging or integration tests to identify affected commands.\n+\n+If you want to keep using the standard, non-encrypted `e_sqlite3` build, reference `Microsoft.Data.Sqlite.Core` together with `SQLitePCLRaw.bundle_e_sqlite3` instead of the `Microsoft.Data.Sqlite` meta-package:\n+\n+```xml\n+\n+\n+```\n+\n+For EF Core, reference `Microsoft.EntityFrameworkCore.Sqlite.Core` instead of `Microsoft.EntityFrameworkCore.Sqlite` and add the standard bundle:\n+\n+```xml\n+\n+\n+```\n````\n\n## Draft pull request\n\n### Title\n\n```\nDocument Microsoft.Data.Sqlite SQLite3MC breaking change (EF Core 10)\n```\n\n### Description\n\nDocuments the EF Core 10 `Microsoft.Data.Sqlite` switch from `SQLitePCLRaw.bundle_e_sqlite3` to `SQLite3MC.PCLRaw.bundle` (backport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402), with prerequisite [dotnet/efcore#36551](https://github.com/dotnet/efcore/pull/36551)), including the security-update rationale and user-visible compatibility risks. Mirrors [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385), which documented the same change for EF Core 11.\n\n- **Breaking change entry**\n - Adds a low-impact Microsoft.Data.Sqlite breaking change for the new `e_sqlite3mc` native bundle, placed under the dedicated `## Microsoft.Data.Sqlite breaking changes` section of the EF Core 10 doc.\n - Adds the corresponding row to the Microsoft.Data.Sqlite Summary table.\n - Clarifies that `Microsoft.EntityFrameworkCore.Sqlite` also references `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n- **User guidance**\n - Links to SQLite3MC passphrase-based encryption documentation.\n - Documents cases that may require action: direct `SQLitePCLRaw.bundle_e_sqlite3` references that conflict with the new dependency, native asset name changes (`e_sqlite3` -> `e_sqlite3mc`), specific RID coverage gaps, reserved encryption keywords, and missing legacy double-quoted string literal support.\n - Names the delayed upstream SQLite CVEs (CVE-2025-6965, CVE-2025-70873) as the security rationale.\n - Provides fallback guidance for apps that need the standard `e_sqlite3` build:\n\n ```xml\n \n \n ```\n\n - Provides EF Core fallback guidance using `Microsoft.EntityFrameworkCore.Sqlite.Core`:\n\n ```xml\n \n \n ```\n", "creation_timestamp": "2026-06-26T21:43:25.990392Z"}, {"uuid": "aa4a678c-c4a0-4304-adcf-ee87e205ba5b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/d3f7732e80ef2881f1817d6ff2a6b95f", "content": "# Step 3 (docs) \u2014 full code diff + draft docs PR for the SQLite3MC backport (8.0)\n\nCompanion to the [SQLite3MC 8.0 backport gist](https://gist.github.com/ViveliDuCh/624ca9db650db5005896a19a013f48f4). That gist describes **Step 3 (docs)** in prose; this one provides the actual, apply-ready unified diff plus a ready-to-paste **draft docs PR title and description**.\n\n- **Repo:** `dotnet/EntityFramework.Docs`\n- **File:** `entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md`\n- **Mirrors:** [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385) (the EF Core 11 page), adapted \"where applicable\" for the 8.0 servicing backport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) (part of [dotnet/efcore#38257](https://github.com/dotnet/efcore/issues/38257)).\n\n## What mirrors #5385 vs. what's adapted for 8.0\n\n| Aspect in #5385 (11.0 page) | 8.0 page |\n| --- | --- |\n| New **Low-impact** entry *\"Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers\"* | \u2705 Mirrored \u2014 heading levels adapted to the 8.0 page's `##` / `###` / `####` convention |\n| Row added to a per-section *Low-impact changes* table | \u2705 Mirrored into the 8.0 page's single top-of-page **Summary** table |\n| Edits to *\"Encryption-enabled SQLite packages have been removed\"* | \u274c Skipped \u2014 section doesn't exist on 8.0 (no SQLitePCLRaw 3.x removal happened on 8.0) |\n| Edits to *\"Some SQLitePCLRaw bundle packages have been removed\"* (incl. the `bundle_e_sqlite3mc` \u2192 `SQLite3MC.PCLRaw.bundle` snippet) | \u274c Skipped \u2014 section doesn't exist on 8.0 |\n| Absolute \u2192 relative Learn link fix in the Cosmos entry | \u274c Skipped \u2014 that entry/line isn't on the 8.0 page |\n| Opt-out bundle version `3.x.x` | \ud83d\udd01 `2.1.6` (the version 8.0 shipped with) |\n| Package `Version=\"11.0.0\"` | \ud83d\udd01 `Version=\"8.0.x\"` |\n| *\"Why\"* references the removed `bundle_e_sqlcipher` section | \ud83d\udd01 Reworded \u2014 `bundle_e_sqlcipher` was **not** removed on 8.0; CVE rationale kept |\n| `ms.date` bump | \u2705 Mirrored (bumped to the edit date) |\n\n> The new entry is **Low-impact** because, for unencrypted databases, `e_sqlite3mc` behaves identically to `e_sqlite3`; the change is a native-bundle swap with documented, narrow edge cases and an opt-out.\n\n## Step 3 \u2014 full code diff\n\nApply against the 8.0 breaking-changes page (`git apply`, or just read it):\n\n````diff\ndiff --git a/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md b/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md\nindex d10766d..246a012 100644\n--- a/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md\n+++ b/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md\n@@ -2,7 +2,7 @@\n title: Breaking changes in EF Core 8.0 (EF8) - EF Core\n description: Complete list of breaking changes introduced in Entity Framework Core 8.0 (EF8)\n author: SamMonoRT\n-ms.date: 10/04/2024\n+ms.date: 06/26/2026\n uid: core/what-is-new/ef-core-8.0/breaking-changes\n ---\n \n@@ -37,6 +37,7 @@ EF Core 8 targets .NET 8. Applications targeting older .NET, .NET Core, and .NET\n | [SQL Server key values are compared case-insensitively](#casekeys) | Low |\n | [Multiple AddDbContext calls are applied in different order](#AddDbContext) | Low |\n | [EntityTypeAttributeConventionBase replaced with TypeAttributeConventionBase](#attributeConventionBase) | Low |\n+| [Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers](#sqlite3mc) | Low |\n \n ## High-impact changes\n \n@@ -688,3 +689,56 @@ In EF Core 8.0 `EntityTypeAttributeConventionBase` was renamed to `TypeAttribute\n \n Replace `EntityTypeAttributeConventionBase` usages with `TypeAttributeConventionBase`.\n \n+\n+\n+### Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers\n+\n+[Tracking PR dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402)\n+\n+#### Old behavior\n+\n+The `Microsoft.Data.Sqlite` package referenced `SQLitePCLRaw.bundle_e_sqlite3` (version 2.1.6 on the 8.0 release branch), which provides the standard `e_sqlite3` native SQLite build. This build has no encryption support, so setting a password (for example, via `SqliteConnectionStringBuilder.Password` or the `Password` connection-string keyword) failed at runtime.\n+\n+#### New behavior\n+\n+Beginning with the 8.0.x servicing release that includes this change, the `Microsoft.Data.Sqlite` package references `SQLite3MC.PCLRaw.bundle`, which provides the `e_sqlite3mc` native build ([SQLite3 Multiple Ciphers](https://github.com/utelle/SQLite3MultipleCiphers)). This build receives updates on NuGet.org more promptly than `SQLitePCLRaw.bundle_e_sqlite3`.\n+\n+As an added bonus, encryption (including setting a password) now works out of the box. See the [SQLite3 Multiple Ciphers documentation](https://github.com/utelle/SQLite3MultipleCiphers-NuGet#passphrase-based-database-encryption-support) for details on enabling passphrase-based database encryption.\n+\n+This change also applies to the EF Core SQLite provider (`Microsoft.EntityFrameworkCore.Sqlite`), which references `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n+\n+#### Why\n+\n+The primary reason for the switch is maintenance and security: new versions of the `e_sqlite3` native build are no longer published to NuGet.org through `SQLitePCLRaw.bundle_e_sqlite3` in a timely manner, which means security fixes in upstream SQLite (such as CVE-2025-6965 and CVE-2025-70873) can be delayed. SQLite3 Multiple Ciphers is an actively maintained project that tracks upstream SQLite releases and ships updated builds promptly, so it was adopted as the default native build for `Microsoft.Data.Sqlite`. As an added bonus, it also supports encryption.\n+\n+#### Mitigations\n+\n+For most applications, **no action is required**. SQLite3 Multiple Ciphers is a superset of SQLite that behaves identically to the standard build for unencrypted databases\u2014it only applies encryption when you explicitly supply a key or password. Existing unencrypted databases continue to open and work unchanged.\n+\n+Review the following cases, which may require action in some applications:\n+\n+- **Direct `SQLitePCLRaw.bundle_e_sqlite3` reference.** If your application directly references `SQLitePCLRaw.bundle_e_sqlite3`, it conflicts with the new `SQLite3MC.PCLRaw.bundle` dependency brought in by `Microsoft.Data.Sqlite` (or `Microsoft.EntityFrameworkCore.Sqlite`). Remove the direct `SQLitePCLRaw.bundle_e_sqlite3` reference unless you intentionally switch to the `.Core` packages shown below.\n+\n+- **Native library and provider name change.** The bundled native library is now `e_sqlite3mc` (rather than `e_sqlite3`), and the provider initialized by the bundle is `SQLite3Provider_e_sqlite3mc`. This matters if your application:\n+ - References a specific native asset filename (for example, `e_sqlite3`) in publishing, trimming, AOT, or single-file configuration. Update those references to `e_sqlite3mc`.\n+\n+- **Platform (RID) coverage.** SQLite3 Multiple Ciphers doesn't currently include native binaries for every runtime identifier covered by `SourceGear.sqlite3`; for example, `linux-riscv64`, `linux-musl-riscv64`, and `linux-musl-s390x` aren't included. If you target a platform that the new bundle doesn't include, the native library may fail to load at runtime. In that case, revert to the standard build using the package references below.\n+\n+- **Reserved encryption keywords.** SQLite3 Multiple Ciphers reserves certain connection-string/URI parameters and PRAGMAs (such as `key`, `hexkey`, and `cipher`) for encryption configuration. This is unlikely to affect typical applications, but if you happened to use these names for unrelated purposes, behavior may differ.\n+\n+- **Double-quoted string literal support.** `e_sqlite3mc` doesn't include SQLite's legacy support for double-quoted string literals. If your SQL uses double quotes for string values, change it to use single quotes; double quotes should be used only for identifiers. Review raw SQL in your application (for example, SQL passed to `FromSql`, `ExecuteSql`, or migrations operations), and use SQL logging or integration tests to identify affected commands.\n+\n+If you want to keep using the standard, non-encrypted `e_sqlite3` build, reference `Microsoft.Data.Sqlite.Core` together with `SQLitePCLRaw.bundle_e_sqlite3` instead of the `Microsoft.Data.Sqlite` meta-package:\n+\n+```xml\n+\n+\n+```\n+\n+For EF Core, reference `Microsoft.EntityFrameworkCore.Sqlite.Core` instead of `Microsoft.EntityFrameworkCore.Sqlite` and add the standard bundle:\n+\n+```xml\n+\n+\n+```\n+\n````\n\n## Draft docs PR (mirror of #5385 for the 8.0 page)\n\nMirrors the merged [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385), trimmed to only what applies to the 8.0 page. Open in `dotnet/EntityFramework.Docs` (same base branch the docs team is taking 8.0 servicing edits on).\n\n### Title\n\n```\nDocument Microsoft.Data.Sqlite SQLite3MC breaking change (8.0)\n```\n\n### Description\n\n````\nMirrors dotnet/EntityFramework.Docs#5385 for the EF Core 8.0 breaking-changes page.\n\nDocuments the `Microsoft.Data.Sqlite` switch from `SQLitePCLRaw.bundle_e_sqlite3`\n(2.1.6 on the 8.0 branch) to `SQLite3MC.PCLRaw.bundle`, shipped as an 8.0.x\nservicing update, including the security-update rationale and user-visible\ncompatibility risks. Backports the docs change for dotnet/efcore#38402; part of\ndotnet/efcore#38257.\n\n- **Breaking change entry**\n - Adds a low-impact `Microsoft.Data.Sqlite` breaking change for the new\n `e_sqlite3mc` native bundle.\n - Clarifies that `Microsoft.EntityFrameworkCore.Sqlite` also references\n `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n - Adds the entry to the page's top-level Summary table.\n\n- **User guidance**\n - Links to SQLite3MC passphrase-based encryption documentation.\n - Documents cases that may require action: direct\n `SQLitePCLRaw.bundle_e_sqlite3` references that conflict with the new\n dependency, native asset / provider name changes (`e_sqlite3` ->\n `e_sqlite3mc`), specific RID coverage gaps, reserved encryption keywords,\n and missing legacy double-quoted string literal support.\n - Provides fallback guidance for apps that need the standard `e_sqlite3`\n build (note the 8.0 opt-out pins 2.1.6, not 3.x.x):\n\n```xml\n\n\n```\n\n - Provides EF Core fallback guidance using\n `Microsoft.EntityFrameworkCore.Sqlite.Core`:\n\n```xml\n\n\n```\n\n**Not mirrored from #5385 (doesn't apply to 8.0):** edits to the\n\"Encryption-enabled SQLite packages have been removed\" and \"Some SQLitePCLRaw\nbundle packages have been removed\" sections \u2014 neither section exists on the 8.0\npage, because 8.0 did not migrate to SQLitePCLRaw 3.0 or remove those packages.\nAccordingly, the \"Why\" text omits the reference to the removed\n`bundle_e_sqlcipher` package, which is still present on 8.0.\n````\n\n### Suggested labels\n\n`area-adonet-sqlite`, `breaking-change`\n", "creation_timestamp": "2026-06-26T21:46:00.931265Z"}, {"uuid": "86f40277-6ae2-4364-a8f8-177c141aaa57", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/68e776b6172a771a5a6b50b4d9f85a13", "content": "# Servicing PR -- Switch Microsoft.Data.Sqlite / EFCore.Sqlite to SQLite3MC bundle (EF Core 9.0)\n\nBackport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) (+ prerequisite [#36551](https://github.com/dotnet/efcore/pull/36551)) to the `release/9.0` servicing branch. Verified locally: clean build (0 warnings / 0 errors) and all Microsoft.Data.Sqlite test legs pass on `net9.0` + `net462` (0 failures). All changes currently unstaged.\n\n---\n\n## Recommended commit message (one-liner)\n\n```\nSwitch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (backport #38402, #36551)\n```\n\n## Recommended PR title\n\n```\n[release/9.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle\n```\n\n## Recommended PR description\n\n> Fixes #38257\n> Backports #38402 (plus prerequisite #36551 -- SQLitePCLRaw 3.x migration)\n\n### Description\n\n`Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` reference `SQLitePCLRaw.bundle_e_sqlite3`, whose native `e_sqlite3` builds are no longer published to NuGet.org promptly. This delays upstream SQLite security fixes (CVE-2025-6965, CVE-2025-70873). This PR backports the swap to `SQLite3MC.PCLRaw.bundle` (the `e_sqlite3mc` native build), together with the prerequisite SQLitePCLRaw 3.x migration -- without which the new bundle's transitive `SQLitePCLRaw.core` >= 3.0.2 dependency conflicts with the branch's 2.1.x pin (NU1109 / NU1605).\n\n### Customer impact\n\nUsers on `Microsoft.Data.Sqlite` / `Microsoft.EntityFrameworkCore.Sqlite` were exposed to known SQLite CVEs because the bundled native build lagged upstream. After the swap, the default native build (SQLite3 Multiple Ciphers) tracks upstream SQLite releases and receives timely security updates. Behavior for unencrypted databases is unchanged; passphrase-based encryption now works out of the box. Two minor, documented compatibility notes:\n\n- Double-quoted string literals are not supported by `e_sqlite3mc` -- SQL must use single quotes for string values (double quotes for identifiers only).\n- A few less-common RIDs (`linux-riscv64`, `linux-musl-riscv64`, `linux-musl-s390x`) aren't covered by the new bundle.\n\nOpt-out: reference `Microsoft.Data.Sqlite.Core` + `SQLitePCLRaw.bundle_e_sqlite3` (or `Microsoft.EntityFrameworkCore.Sqlite.Core`), documented in [EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385).\n\n### How found\n\nUser-reported in [dotnet/efcore#38257](https://github.com/dotnet/efcore/issues/38257) (\"SQLite vulnerbilities\"), with many comments and multiple MSRC reports.\n\n### Regression\n\nNo -- long-standing maintenance gap in the upstream `bundle_e_sqlite3` native build, not a regression in EF Core.\n\n### Testing\n\nNo new tests; covered by the existing `Microsoft.Data.Sqlite` and `EFCore.Sqlite` suites. Test infrastructure was rewired for SQLitePCLRaw 3.x (the `bundle_sqlite3` / `bundle_winsqlite3` / `bundle_e_sqlcipher` / `bundle_e_sqlite3mc` packages were removed at 3.x; replaced with `core` + `provider.*` packages and explicit `Batteries_V2` / `SetProvider` init). Verified locally: builds clean; Microsoft.Data.Sqlite test legs pass on `net9.0` and `net462` (0 failures).\n\n### Risk\n\nMedium -- two documented behavior changes on a servicing branch:\n\n1. SQLitePCLRaw 2.1 -> 3.0 migration (#36551).\n2. Default native bundle `e_sqlite3` -> `e_sqlite3mc` (#38402).\n\nNo quirk / `AppContext` switch applies: native bundle selection is a build-time NuGet decision, not a runtime managed branch (the servicing-PR skill explicitly exempts this case). Opt-out is available via the existing `.Core` packages.\n\n### Backport deviations from upstream\n\n- **`SQLitePCLRaw` pinned at 3.0.3** (upstream #36551 used 3.0.2) -- newer servicing patch already present on the branch; satisfies `SQLite3MC.PCLRaw.bundle` 2.3.5 (which needs `core` >= 3.0.2).\n- **Test netfx leg kept at `net462`** (upstream #36551 used `$(NetFrameworkCurrent)`). On `release/9.0`, `$(NetFrameworkCurrent)` = `net481`, which wouldn't match the test projects' `net462` target, so the `RuntimeIdentifier=win-x64` condition is pinned to `net462`.\n\n---\n\n### Files changed (13)\n\n```\n Directory.Packages.props | 2 +-\n EFCore.sln | 14 --------\n eng/Versions.props | 3 ++-\n src/EFCore.Sqlite/EFCore.Sqlite.csproj | 2 +-\n src/Microsoft.Data.Sqlite.Core/Properties/InternalsVisibleTo.cs| 4 ----\n src/Microsoft.Data.Sqlite/Microsoft.Data.Sqlite.csproj | 2 +-\n test/Directory.Packages.props | 5 ++---\n test/.../Microsoft.Data.Sqlite.Tests.csproj | 4 ++++\n test/.../Microsoft.Data.Sqlite.e_sqlcipher.Tests.csproj | 17 --------- (deleted)\n test/.../Microsoft.Data.Sqlite.e_sqlite3mc.Tests.csproj | 17 --------- (deleted)\n test/.../Microsoft.Data.Sqlite.sqlite3.Tests.csproj | 3 ++-\n test/.../Microsoft.Data.Sqlite.winsqlite3.Tests.csproj | 3 ++-\n test/.../TestUtilities/SqliteTestFramework.cs | 24 ++++++++---\n```\n\nDocs counterpart (separate PR against EntityFramework.Docs, ef-core-9.0 breaking-changes): mirrors #5385.", "creation_timestamp": "2026-06-26T23:51:19.651687Z"}, {"uuid": "bc2f49a2-03cf-4f89-986d-24efa6633197", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/68e776b6172a771a5a6b50b4d9f85a13", "content": "# Servicing PR -- Switch Microsoft.Data.Sqlite / EFCore.Sqlite to SQLite3MC bundle (EF Core 9.0)\n\nBackport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) (+ prerequisite [#36551](https://github.com/dotnet/efcore/pull/36551)) to the `release/9.0` servicing branch. Verified locally: clean build (0 warnings / 0 errors) and all Microsoft.Data.Sqlite test legs pass on `net9.0` + `net462` (0 failures). All changes currently unstaged.\n\n---\n\n## Recommended commit message (one-liner)\n\n```\nSwitch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (backport #38402, #36551)\n```\n\n## Recommended PR title\n\n```\n[release/9.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle\n```\n\n## Recommended PR description\n\n> Fixes #38257\n> Backports #38402 (plus prerequisite #36551 -- SQLitePCLRaw 3.x migration)\n\n### Description\n\n`Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` reference `SQLitePCLRaw.bundle_e_sqlite3`, whose native `e_sqlite3` builds are no longer published to NuGet.org promptly. This delays upstream SQLite security fixes (CVE-2025-6965, CVE-2025-70873). This PR backports the swap to `SQLite3MC.PCLRaw.bundle` (the `e_sqlite3mc` native build), together with the prerequisite SQLitePCLRaw 3.x migration -- without which the new bundle's transitive `SQLitePCLRaw.core` >= 3.0.2 dependency conflicts with the branch's 2.1.x pin (NU1109 / NU1605).\n\n### Customer impact\n\nUsers on `Microsoft.Data.Sqlite` / `Microsoft.EntityFrameworkCore.Sqlite` were exposed to known SQLite CVEs because the bundled native build lagged upstream. After the swap, the default native build (SQLite3 Multiple Ciphers) tracks upstream SQLite releases and receives timely security updates. Behavior for unencrypted databases is unchanged; passphrase-based encryption now works out of the box. Two minor, documented compatibility notes:\n\n- Double-quoted string literals are not supported by `e_sqlite3mc` -- SQL must use single quotes for string values (double quotes for identifiers only).\n- A few less-common RIDs (`linux-riscv64`, `linux-musl-riscv64`, `linux-musl-s390x`) aren't covered by the new bundle.\n\nOpt-out: reference `Microsoft.Data.Sqlite.Core` + `SQLitePCLRaw.bundle_e_sqlite3` (or `Microsoft.EntityFrameworkCore.Sqlite.Core`), documented in [EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385).\n\n### How found\n\nUser-reported in [dotnet/efcore#38257](https://github.com/dotnet/efcore/issues/38257) (\"SQLite vulnerbilities\"), with many comments and multiple MSRC reports.\n\n### Regression\n\nNo -- long-standing maintenance gap in the upstream `bundle_e_sqlite3` native build, not a regression in EF Core.\n\n### Testing\n\nNo new tests; covered by the existing `Microsoft.Data.Sqlite` and `EFCore.Sqlite` suites. Test infrastructure was rewired for SQLitePCLRaw 3.x (the `bundle_sqlite3` / `bundle_winsqlite3` / `bundle_e_sqlcipher` / `bundle_e_sqlite3mc` packages were removed at 3.x; replaced with `core` + `provider.*` packages and explicit `Batteries_V2` / `SetProvider` init). Verified locally: builds clean; Microsoft.Data.Sqlite test legs pass on `net9.0` and `net462` (0 failures).\n\n### Risk\n\nMedium -- two documented behavior changes on a servicing branch:\n\n1. SQLitePCLRaw 2.1 -> 3.0 migration (#36551).\n2. Default native bundle `e_sqlite3` -> `e_sqlite3mc` (#38402).\n\nNo quirk / `AppContext` switch applies: native bundle selection is a build-time NuGet decision, not a runtime managed branch (the servicing-PR skill explicitly exempts this case). Opt-out is available via the existing `.Core` packages.\n\n### Backport deviations from upstream\n\n- **`SQLitePCLRaw` pinned at 3.0.3** (upstream #36551 used 3.0.2) -- newer servicing patch already present on the branch; satisfies `SQLite3MC.PCLRaw.bundle` 2.3.5 (which needs `core` >= 3.0.2).\n- **Test netfx leg kept at `net462`** (upstream #36551 used `$(NetFrameworkCurrent)`). On `release/9.0`, `$(NetFrameworkCurrent)` = `net481`, which wouldn't match the test projects' `net462` target, so the `RuntimeIdentifier=win-x64` condition is pinned to `net462`.\n\n---\n\n### Files changed (13)\n\n```\n Directory.Packages.props | 2 +-\n EFCore.sln | 14 --------\n eng/Versions.props | 3 ++-\n src/EFCore.Sqlite/EFCore.Sqlite.csproj | 2 +-\n src/Microsoft.Data.Sqlite.Core/Properties/InternalsVisibleTo.cs| 4 ----\n src/Microsoft.Data.Sqlite/Microsoft.Data.Sqlite.csproj | 2 +-\n test/Directory.Packages.props | 5 ++---\n test/.../Microsoft.Data.Sqlite.Tests.csproj | 4 ++++\n test/.../Microsoft.Data.Sqlite.e_sqlcipher.Tests.csproj | 17 --------- (deleted)\n test/.../Microsoft.Data.Sqlite.e_sqlite3mc.Tests.csproj | 17 --------- (deleted)\n test/.../Microsoft.Data.Sqlite.sqlite3.Tests.csproj | 3 ++-\n test/.../Microsoft.Data.Sqlite.winsqlite3.Tests.csproj | 3 ++-\n test/.../TestUtilities/SqliteTestFramework.cs | 24 ++++++++---\n```\n\nDocs counterpart (separate PR against EntityFramework.Docs, ef-core-9.0 breaking-changes): mirrors #5385.", "creation_timestamp": "2026-06-27T00:00:58.341188Z"}, {"uuid": "457dfe40-ba18-4206-a063-2af6c60aa244", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/8e2e119fe688800e3c84e4b17424af4e", "content": "# Backport PR (8.0) \u2014 recommended title & description for dotnet/efcore#38402\n\nReady-to-paste **title** and **description** for opening the servicing backport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) (\"Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle\") onto **`release/8.0`**.\n\nFollows the repo's `.agents/skills/servicing-pr/SKILL.md` template and mirrors the prose style of recent merged servicing PRs (e.g. [#38373](https://github.com/dotnet/efcore/pull/38373), [#38134](https://github.com/dotnet/efcore/pull/38134)).\n\n- **Base branch:** `release/8.0`\n- **Source PR:** #38402 (merged to `main`)\n- **Issue:** [#38257](https://github.com/dotnet/efcore/issues/38257) \u2014 *SQLite vulnerabilities*\n\n> **Verified against the real branches** (not just the source PR):\n> `upstream/release/8.0` has **no Central Package Management** and references `SQLitePCLRaw.bundle_e_sqlite3` `2.1.6` inline; the prepared `dev-release-8.0` branch swaps both to `SQLite3MC.PCLRaw.bundle` `2.3.5` inline. `git diff` is exactly **2 files, 1 line each**. No SQLitePCLRaw 3.x prerequisite is needed (that's a 9.0/10.0 concern driven by CPM).\n\n## Recommended title\n\n```\n[release/8.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle\n```\n\n## Recommended description\n\n````\nFixes #38257\nBackports #38402\n\n**Description**\nOn 8.0, `Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` reference\n`SQLitePCLRaw.bundle_e_sqlite3` (2.1.6), whose native `e_sqlite3` builds are no longer\npublished to NuGet.org promptly. As a result, shipped EF Core SQLite consumers stay on\na native SQLite build that lags upstream, delaying SQLite security fixes\n(e.g. CVE-2025-6965, CVE-2025-70873) from reaching them. This backports #38402 by\nswitching both packages to `SQLite3MC.PCLRaw.bundle` 2.3.5, which provides the\n`e_sqlite3mc` native build (SQLite3 Multiple Ciphers), an actively maintained project\nthat tracks upstream SQLite and ships updated builds promptly.\n\nUnlike the 9.0 and 10.0 backports, no SQLitePCLRaw 3.x prerequisite migration is required\non 8.0: this branch does not use Central Package Management, so the transitive\n`SQLitePCLRaw.core` 3.0.2 brought in by the new bundle flows in cleanly alongside the\nunchanged 2.1.6 references in the test projects, with no central pin to violate. The\nchange is therefore two inline `.csproj` edits.\n\n**Customer impact**\nEF Core SQLite users on 8.0 are pinned to a native SQLite build that lags upstream,\nleaving them exposed to known SQLite CVEs until the bundle catches up. After the swap,\nthe default native build receives timely security updates, and encryption (including\nsetting a password) works out of the box. Behavior for unencrypted databases is\nunchanged \u2014 SQLite3 Multiple Ciphers is a superset that only applies encryption when a\nkey/password is explicitly supplied, so existing unencrypted databases open and work as\nbefore. Two documented compatibility notes: the native asset is renamed\n`e_sqlite3` -> `e_sqlite3mc` (matters for trimming/AOT/single-file references), and\n`e_sqlite3mc` doesn't support legacy double-quoted string literals (use single quotes for\nstring values). Apps that need the standard build can opt out by referencing\n`Microsoft.Data.Sqlite.Core` / `Microsoft.EntityFrameworkCore.Sqlite.Core` plus\n`SQLitePCLRaw.bundle_e_sqlite3` 2.1.6. The breaking change is documented with mitigations\nin EntityFramework.Docs#5385.\n\n**How found**\nUser reported on 8.0 in dotnet/efcore#38257 (*SQLite vulnerabilities*), which has 50\ncomments and 13 \ud83d\udc4d across multiple users, including multiple security (MSRC) reports.\n\n**Regression**\nNo. This is a long-standing maintenance gap in the upstream `e_sqlite3` bundle, not a\nregression from an earlier EF Core version.\n\n**Testing**\nNo new tests. Covered by the existing Microsoft.Data.Sqlite and EFCore.Sqlite suites,\nincluding the dedicated `Microsoft.Data.Sqlite.sqlite3mc.Tests` project that already\nexercises the `SQLite3MC.PCLRaw.bundle` provider. The branch builds clean and related\ntests pass with the two-file edit.\n\n**Risk**\nLow-to-medium. Two-file, two-line `.csproj` change that swaps the native SQLite engine in\na servicing release. No quirk added: native SQLite bundle selection is a build/restore-time\nNuGet decision, not a runtime managed branch, so an AppContext switch can't gate it \u2014 the\nservicing-pr skill explicitly exempts cases where a quirk couldn't be used. An opt-out\nremains available at the packaging level via the existing `.Core` packages, and the change\nis documented with mitigations in EntityFramework.Docs#5385.\n````\n\n## How this maps to the servicing-pr template & current patterns\n\n| Template / pattern element | Applied here |\n| --- | --- |\n| Title `[release/XX.0] ` | `[release/8.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle` |\n| `Fixes #` / `Backports #` header | `Fixes #38257`, `Backports #38402` |\n| All seven sections present | Description, Customer impact, How found, Regression, Testing, Risk |\n| Quirk (AppContext switch) | **Skipped** \u2014 bundle selection is build-time, not runtime; skill exempts \"quirk couldn't be used\" cases. Called out in **Risk**. |\n| Risk ranked + code-size note | \"Low-to-medium \u2026 two-file, two-line change\" |\n| Mirrors real servicing PR prose (#38373 etc.) | Concise per-section paragraphs, customer-facing language, explicit CVE + opt-out |\n\n### Suggested labels\n\n`area-adonet-sqlite`, `breaking-change`\n\n> Replace the CVE identifiers / comment counts with the latest figures at PR-open time if they've moved, and confirm `release/8.0` is the intended servicing target before opening.\n", "creation_timestamp": "2026-06-27T01:33:56.251565Z"}, {"uuid": "bd3fe4e6-26b7-48ea-9dbc-79c4a6fb0063", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/2bc6bf4e8d9695a93a22e8caf5bc9202", "content": "# Backport PR: Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (release/10.0)\n\nRecommended title and description for opening the servicing backport PR against `release/10.0`.\nFollows the established EF Core servicing-PR template (see #38066, #38007) and mirrors the parent change #38402.\n\n---\n\n## Title\n\n```\n[release/10.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle\n```\n\n---\n\n## Description\n\n```markdown\nBackport of #38402 (with prerequisite #36551).\nFixes #38257.\n\n### Description\nChanges the `Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` packages to\nbundle `SQLite3MC.PCLRaw.bundle` (SQLite3 Multiple Ciphers) instead of\n`SQLitePCLRaw.bundle_e_sqlite3`, giving shipped consumers a native SQLite build with\nencryption support by default. This is driven by the upstream SQLite security advisories\n(CVE-2025-6965, CVE-2025-70873); the `e_sqlite3mc` bundle tracks a patched native SQLite.\n\nBecause `SQLite3MC.PCLRaw.bundle` depends on `SQLitePCLRaw.core` >= 3.0.2, the backport also\npulls in the prerequisite SQLitePCLRaw 2.1.x -> 3.0.x migration (#36551), which the parent\nPR #38402 assumed was already present on `main` but is not on `release/10.0`. Without it the\nbuild fails with NU1109/NU1605 version conflicts.\n\n### Customer impact\nThe shipped `Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` packages now\ncarry the encryption-capable, CVE-patched native SQLite build by default. This is a documented\nlow-impact breaking change (tracked by #38257, milestone 10.0.11). Most apps are unaffected,\nbut a small number may need action:\n- Apps with a direct `SQLitePCLRaw.bundle_e_sqlite3` reference that now conflicts with the new dependency.\n- Native asset name changes (`e_sqlite3` -> `e_sqlite3mc`) for apps that load the native library by name.\n- RID coverage gaps for less common platforms.\n- Reserved SQLite3MC encryption keywords / PRAGMAs.\n- Loss of legacy double-quoted string literal support (`e_sqlite3mc` rejects double-quoted string values).\n\nApps that need the old behavior can opt out by referencing `Microsoft.Data.Sqlite.Core`\n(or `Microsoft.EntityFrameworkCore.Sqlite.Core`) together with `SQLitePCLRaw.bundle_e_sqlite3`.\nThe opt-out and all migration guidance are documented in the EF Core 10 breaking-changes doc\n(EntityFramework.Docs companion PR).\n\n### How found\nSecurity-driven change flowed down from `main` (#38402) and EF Core 11; backported to 10.0\nservicing under tracking issue #38257.\n\n### Regression\nNo. This is a deliberate, security-motivated dependency change, not a fix for a regression.\nIt is shipped as an approved low-impact breaking change in 10.0 servicing.\n\n### Testing\nThe existing Microsoft.Data.Sqlite provider matrix continues to exercise the relevant bundles\nvia separate test projects and `DefineConstants`. Locally validated on `release/10.0`:\n- Default (`e_sqlite3mc`) suite: 679 passed / 7 skipped / 0 failed (net10.0).\n- net481: 668 passed / 0 failed.\n- winsqlite3 suite: 679 passed / 0 failed (net10.0).\n- sqlite3 suite: all-skipped on Windows (pre-existing; binds to absent system SQLite).\nRestore is clean (no NU1109/NU1605) and the Sqlite product projects build against the new bundle.\n\n### Risk\nLow, but user-visible. It is a breaking change to the native SQLite build shipped by the\npackage, mitigated by: (a) a documented opt-out back to `e_sqlite3`, (b) the change being\nmilestoned and approved as a low-impact breaking change for 10.0.11, and (c) unchanged managed\nAPI surface. The main behavioral differences are the native asset rename and the lack of legacy\ndouble-quoted string literal support.\n```\n\n---\n\n## Notes / deviations from the parent PR (#38402)\n\n- **Adds prerequisite #36551.** The parent PR only contained the bundle swap because `main`\n already had SQLitePCLRaw 3.x. On `release/10.0` the baseline is `2.1.11`, so the 3.x migration\n is rolled into this backport (required for the build to resolve).\n- **Test project plumbing differs from `main`.** On `release/10.0` the obsolete\n `e_sqlcipher`/`e_sqlite3mc` test csprojs were removed and `provider.sqlite3`/`provider.winsqlite3`\n packages introduced to match the 3.x package layout, rather than reusing `main`'s\n `sqlite3mc.Tests` project shape.\n- **Companion docs PR.** A separate EntityFramework.Docs PR documents the breaking change for\n the `ef-core-10.0` breaking-changes page (mirrors dotnet/EntityFramework.Docs#5385).\n", "creation_timestamp": "2026-06-27T01:53:27.470642Z"}, {"uuid": "2161ddd1-46c4-49f7-bfbd-001230ffdb78", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/480c5a9928db2360e8f9e477fdd740a3", "content": "# Backport PR -- recommended title & description (EF Core 9.0 SQLite3MC swap)\n\nFor opening the backport PR of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) onto the 9.0 servicing branch. Formatted to match current `dotnet/efcore` backport conventions (e.g. [#36778](https://github.com/dotnet/efcore/pull/36778), [#36138](https://github.com/dotnet/efcore/pull/36138), [#35241](https://github.com/dotnet/efcore/pull/35241)): a `[release/9.0]` title prefix with the parent PR in parentheses, and the standard servicing body template (Description / Customer impact / How found / Regression / Testing / Risk).\n\n---\n\n## Recommended PR title\n\n```\n[release/9.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (#38402)\n```\n\n> Note on base branch: most current EF Core servicing PRs target `release/9.0-staging`. If that is the case here, use `[release/9.0-staging] ...` instead -- the body is identical.\n\n---\n\n## Recommended PR description (ready to paste)\n\nBackports the SQLite3MC native-bundle swap so the shipped 9.0 SQLite packages receive timely upstream security updates.\n\nFixes #38257\nBackports #38402 (plus prerequisite #36551 -- SQLitePCLRaw 3.x migration, without which the new bundle's transitive `SQLitePCLRaw.core` >= 3.0.2 dependency conflicts with this branch's 2.1.x pin: NU1109 / NU1605)\n\n**Description**\n\n`Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` reference `SQLitePCLRaw.bundle_e_sqlite3`, whose native `e_sqlite3` build is no longer published to NuGet.org promptly, delaying upstream SQLite security fixes. This backports the swap to `SQLite3MC.PCLRaw.bundle` (the `e_sqlite3mc` / SQLite3 Multiple Ciphers native build, which tracks upstream SQLite and ships updates quickly), together with the prerequisite SQLitePCLRaw 3.x migration that the new bundle requires on this branch.\n\n**Customer impact**\n\nUsers on `Microsoft.Data.Sqlite` / `Microsoft.EntityFrameworkCore.Sqlite` were exposed to known SQLite CVEs (CVE-2025-6965, CVE-2025-70873) because the bundled native build lagged upstream. After the swap the default native build receives timely security updates, and passphrase-based encryption works out of the box. Behavior for unencrypted databases is unchanged. Two minor, documented compatibility notes:\n\n- Double-quoted string literals are not supported by `e_sqlite3mc` -- SQL must use single quotes for string values (double quotes for identifiers only).\n- A few less-common RIDs (`linux-riscv64`, `linux-musl-riscv64`, `linux-musl-s390x`) are not covered by the new bundle.\n\nOpt-out for either concern: reference the `.Core` packages (`Microsoft.Data.Sqlite.Core` / `Microsoft.EntityFrameworkCore.Sqlite.Core`) with `SQLitePCLRaw.bundle_e_sqlite3`, as documented in EntityFramework.Docs#5385.\n\n**How found**\n\nUser-reported in dotnet/efcore#38257 (\"SQLite vulnerbilities\"), with multiple users and MSRC reports.\n\n**Regression**\n\nNo -- long-standing maintenance gap in the upstream `bundle_e_sqlite3` native build, not a regression in EF Core.\n\n**Testing**\n\nNo new tests; covered by the existing `Microsoft.Data.Sqlite` and `EFCore.Sqlite` suites. Test infrastructure was rewired for SQLitePCLRaw 3.x (the `bundle_sqlite3` / `bundle_winsqlite3` / `bundle_e_sqlcipher` / `bundle_e_sqlite3mc` packages no longer exist at 3.x; replaced with `core` + `provider.*` packages and explicit `Batteries_V2` / `SetProvider` init). Verified locally: clean build (0 warnings / 0 errors); Microsoft.Data.Sqlite test legs pass on `net9.0` and `net462` (0 failures).\n\n**Risk**\n\nMedium -- two documented behavior changes on a servicing branch:\n\n1. SQLitePCLRaw 2.1 -> 3.0 migration (#36551).\n2. Default native bundle `e_sqlite3` -> `e_sqlite3mc` (#38402).\n\nNo quirk / `AppContext` switch applies: native bundle selection is a build-time NuGet decision, not a runtime managed branch (the servicing-PR guidance explicitly exempts this case). An opt-out is available via the existing `.Core` packages.\n\n---\n\n## Bonus -- recommended commit message (one-liner)\n\n```\nSwitch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (backport #38402, #36551)\n```\n\n## Backport deviation to call out in review\n\nThe only deviation from the parent PRs: the netfx test leg stays at `net462` (upstream #36551 used `$(NetFrameworkCurrent)`, which resolves to `net481` on this branch and would not match the test projects' `net462` target). Package versions (`SQLitePCLRaw` 3.0.3, `SQLite3MC.PCLRaw.bundle` 2.3.5) match #38402's merged end-state exactly.", "creation_timestamp": "2026-06-27T01:54:37.992897Z"}]}