MimeKit Vulnerability and EPiServer.CMS.Core Dependency Update

Hi everyone,

We want to inform you about a critical security vulnerability affecting older versions of the EPiServer.CMS.Core package due to its indirect dependency on MimeKit 3.0.

🔍 What’s the Issue?

Versions of EPiServer.CMS.Core prior to 12.22.4 have a dependency on MailKit 3.0 up to 4.x, which in turn depends on MimeKit 3.0. Unfortunately, MimeKit 3.0 contains a high severity vulnerability, the patch version is 4.7.1.

✅ What We Did

Starting from EPiServer.CMS.Core version 12.22.4, which was released for a couple of months, we updated the dependency range for MailKit to [3.0, 5.0). This change allows you to be able to manually upgrade MailKit and MimeKit to safer versions. Specifically, we recommend upgrading the MailKit package to 4.7.1 or higher which requires the patch version of MimeKit 4.7.1 or higher.

📢 What You Should Do

We strongly advise:

1. Upgrade EPiServer.CMS.Core to version 12.22.4 or later.
2. Manually upgrade MailKit to version 4.7.1 or higher.

This will eliminate the vulnerability and align your application with best security practices.

Note: Upgrading MailKit to a new major version (v4) should not cause any issues in CMS. We have already verified compatibility when extending the dependency range in version 12.22.4.
However, if your application directly uses MailKit, please be aware that MailKit v4 introduces changes in public APIs, and you may need to update your implementation accordingly.

🔒 Looking Ahead

Security is a top priority for us. We are actively considering enforcing a higher minimum version of MailKit in future CMS Core releases to ensure all customers benefit from secure defaults.

If you have any questions, please reach out to our support team. Thank you for your continued trust and commitment to secure software practices.