This document explains how to patch a system for SQL injection vulnerability in the SQL Server transport using hotfix release 1.2.5.
Detailed information about the vulnerability, its impact, available mitigation steps, and patching instructions can be found in the security advisory.
Updating the NuGet package
The vulnerability can be fixed by upgrading the SQL Server transport package that is being used. The package can be updated with the following command in the Package Manager Console within Visual Studio:
Update-Package NServiceBus.SqlServer -Version 1.2.5
After the package has been updated, all affected endpoints must be rebuilt and redeployed.