GHSA-hxrm-9w7p-39cc
GitHub Security Advisory
Cookie parsing failure
✓ GitHub Reviewed
HIGH
Has CVE
Advisory Details
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.
Affected Packages
NuGet
Microsoft.AspNetCore.Http
Affected versions:
0
(fixed in 2.1.22)
NuGet
Microsoft.AspNetCore.App
Affected versions:
0
(fixed in 2.1.22)
NuGet
Microsoft.Owin
Affected versions:
0
(fixed in 4.1.1)
NuGet
Microsoft.AspNetCore.App.Runtime.linux-arm
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.linux-arm64
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.linux-musl-x64
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.linux-x64
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.osx-x64
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.win-arm
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.win-x64
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.win-x86
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
Affected versions:
3.1.0
(fixed in 3.1.8)
NuGet
Microsoft.AspNetCore.App.Runtime.win-arm64
Affected versions:
3.1.5
(fixed in 3.1.8)
Related CVEs
Key Information
7.5
/10
Dataset
Last updated: July 28, 2025 6:37 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.