GHSA-6xh7-4v2w-36q6
GitHub Security Advisory
ASP.NET Core fails to properly validate web requests
✓ GitHub Reviewed
HIGH
Has CVE
Advisory Details
A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.
Affected Packages
NuGet
Microsoft.AspNetCore.Mvc
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Core
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Core
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
System.Net.Http
Affected versions:
4.1.1
(fixed in 4.1.2)
NuGet
System.Net.Http
Affected versions:
4.3.1
(fixed in 4.3.2)
NuGet
System.Text.Encodings.Web
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Text.Encodings.Web
Affected versions:
4.3.0
(fixed in 4.3.1)
NuGet
System.Net.Http.WinHttpHandler
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Net.Http.WinHttpHandler
Affected versions:
4.3.0
(fixed in 4.5.4)
NuGet
System.Net.Security
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Net.Security
Affected versions:
4.3.0
(fixed in 4.3.1)
NuGet
System.Net.WebSockets.Client
Affected versions:
4.0.0
(fixed in 4.0.1)
NuGet
System.Net.WebSockets.Client
Affected versions:
4.3.0
(fixed in 4.3.1)
NuGet
Microsoft.AspNetCore.Mvc.Abstractions
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Abstractions
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.ApiExplorer
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.ApiExplorer
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Cors
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Cors
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.DataAnnotations
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.DataAnnotations
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Json
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Json
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Xml
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Formatters.Xml
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Localization
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Localization
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Razor.Host
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Razor.Host
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.Razor
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.Razor
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.TagHelpers
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.TagHelpers
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.ViewFeatures
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.ViewFeatures
Affected versions:
1.1.0
(fixed in 1.1.3)
NuGet
Microsoft.AspNetCore.Mvc.WebApiCompatShim
Affected versions:
1.0.0
(fixed in 1.0.4)
NuGet
Microsoft.AspNetCore.Mvc.WebApiCompatShim
Affected versions:
1.1.0
(fixed in 1.1.3)
Related CVEs
Key Information
7.5
/10
Dataset
Last updated: June 18, 2025 6:25 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.