Broken Object Level Authorization and ASP.NET Core [CVE-2017-0247]

CVE-2017-0247 describes a denial of service vulnerability in ASP.NET Core when encoding web requests. The issue stems from the TextEncoder.EncodeCore implementation in System.Text.Encodings.Web used by ASP.NET Core MVC prior to 1.0.4 and 1.1.x prior to 1.1.3. The bug allows remote attackers to cause DoS by exploiting incorrect length calculation for certain 4-byte Unicode characters. This is a patchable library issue rather than a direct data access risk. Exploitation involves sending crafted payloads containing Unicode sequences that trigger the buggy encoding path. Under load, this can cause CPU or memory exhaustion, degrading or taking down services that rely on the encoder path for user input sanitization. The vulnerability centers on resource exhaustion rather than authorization per se, but in environments with tight resource controls or combined with weaker access checks, attackers can magnify impact. Fixing the issue requires upgrading to patched components (ASP.NET Core MVC 1.0.4 and 1.1.3 or newer). In code, rely on the framework- provided encoders (HtmlEncoder.Default, JavaScriptEncoder.Default) after upgrading, and avoid internal or deprecated encoder paths that were addressed by the patch. This guidance also covers the broader requirement to implement explicit object-level authorization (BOLA) to prevent unauthorized access to specific resources, so a combination of updated encoding and proper authorization reduces overall risk. Remediation actions emphasize both patching the encoding path and strengthening authorization to ensure access to resources is verified on an object-by-object basis, reducing exposure even if a DoS vulnerability exists in the encoding layer.