Broken Function Level Authorization

Broken Function Level Authorization - ASP.NET Core[Mar 2026] [CVE-2017-0247]

[Fixed Mar 2026] Updated CVE-2017-0247

Overview

CVE-2017-0247 describes a denial of service vulnerability in ASP.NET Core MVC caused by a flaw in the TextEncoder.EncodeCore path within System.Text.Encodings.Web. When untrusted input containing certain 4-byte Unicode characters is processed, the encoder can miscalculate the required buffer length, leading to excessive CPU consumption and potential service unavailability. The fix was delivered in patched releases for ASP.NET Core MVC: 1.0.4 and 1.1.3 (and later). While this vulnerability is primarily a resource exhaustion issue rather than an authorization flaw, it can affect any endpoints protected by function-level authorization if attackers target input that undergoes encoding as part of request handling. The CVE explicitly identifies the encoding path and the affected pre-patch versions, underscoring the need to update the encoding library and core framework to mitigate the issue.

Affected Versions

ASP.NET Core MVC before 1.0.4 and 1.1.x before 1.1.3 (i.e., pre-patch versions); patch available via upgrades to ASP.NET Core 1.0.4 and 1.1.3 or later, which include the fixed System.Text.Encodings.Web behavior.

Code Fix Example

ASP.NET Core API Security Remediation 
// Vulnerable pattern (pre-patch):
// The vulnerability is in the encoding library; the application calls the encoder as part of request processing.
// Upgrading the library (System.Text.Encodings.Web) and ASP.NET Core mitigates the issue; the code remains functionally the same.
using System.Text.Encodings.Web;
using Microsoft.AspNetCore.Mvc;

public class DemoControllerVulnerable : Controller
{
    [HttpGet("vulnerable/echo")] 
    public IActionResult Echo(string input)
    {
        // Vulnerable due to unpatched encoding library in older ASP.NET Core releases
        var encoded = HtmlEncoder.Default.Encode(input);
        return Content(encoded, "text/plain");
    }
}

// Fixed pattern (post-patch): same code path, but running with patched library (ASP.NET Core 1.0.4+ / 1.1.3+)
using System.Text.Encodings.Web;
using Microsoft.AspNetCore.Mvc;

public class DemoControllerFixed : Controller
{
    [HttpGet("fixed/echo")] 
    public IActionResult Echo(string input)
    {
        // After patching, this same call is protected by the fixed encoder implementation
        var encoded = HtmlEncoder.Default.Encode(input);
        return Content(encoded, "text/plain");
    }
}

CVE References

More ASP.NET Core API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.