Microsoft Semantic Kernel 1.78.0 patches security, adds JSON Schema fixes
New release disables automatic HTTP redirects and fixes a critical MessagePack vulnerability.
Microsoft has shipped version 1.78.0 of the Semantic Kernel .NET package, a major update to the AI orchestration framework that helps developers integrate large language models into applications. This release focuses heavily on security hardening and dependency hygiene. The most notable change is the disabling of automatic HTTP redirects in the HttpPlugin and WebFileDownloadPlugin default clients, a move that mitigates server-side request forgery (SSRF) risks when AI agents fetch external content.
Additional security fixes include a high-severity vulnerability fix in MessagePack (a serialization library) and the removal of duplicate 'null' entries in JSON Schema type arrays for nullable parameters. The update also bumps the .NET SDK to 10.0.301 and upgrades several dependencies: Scriban from 7.2.0 to 7.2.5 (fixing a NU1902 vulnerability), axios to 1.16.0, and various Aspire.Hosting packages to 13.3.0. File path validation across Core, Document, and Web plugins has been hardened to prevent path traversal attacks. Developers already using Semantic Kernel should update to ensure secure AI agent behavior.
- Automatic HTTP redirects disabled in HttpPlugin and WebFileDownloadPlugin to prevent SSRF attacks
- Critical MessagePack high-severity vulnerability patched (CVE not specified)
- JSON Schema type arrays for nullable parameters no longer produce duplicate 'null' entries
Why It Matters
Essential security update for all .NET AI agents using Semantic Kernel, fixing SSRF and serialization vulnerabilities.