Overview
CVE-2017-0247 describes a denial of service condition in ASP.NET Core where the encoding path used for rendering HTML/JSON could consume excessive CPU when handling certain long, crafted Unicode input. The root cause is an incorrect calculation in the length of 4-byte Unicode characters within the Unicode Non-Character range inside the TextEncoder.EncodeCore implementation used by System.Text.Encodings.Web. Attackers could leverage this to exhaust server resources and degrade or knock offline vulnerable applications, which is categorized under CWE-20 (Improper Input Validation) in practice for how input encoding is handled. Although labeled as a DoS issue, it effectively exposes injection-related processing vulnerabilities by forcing the server to perform expensive encoding work on untrusted input.
In practice, this manifested in ASP.NET Core MVC apps that relied on the affected encodings before patches were released. When an attacker sent requests containing heavy or specially crafted Unicode payloads, the encoding routine would miscalculate the resulting output size and perform excessive work, potentially leading to high CPU usage and service degradation. This vulnerability affected older ASP.NET Core MVC releases on the 1.0.x and 1.1.x lines prior to the patched fixes; the official mitigations involved applying the patch to upgrade to 1.0.4 or 1.1.3 or newer.
Remediation centers on upgrading to patched framework and library versions, which correct EncodeCore behavior and prevent the DoS caused by improper length calculations. In addition to upgrading, you should apply defense-in-depth controls such as limiting request body size, enabling rate limiting, and auditing dependencies to ensure all transitive encodings are patched. After upgrading, validate the fix with targeted tests and load scenarios to confirm that encoding does not trigger abnormal CPU usage under adversarial input.
As you implement remediation, document the CVE reference (CVE-2017-0247) and the affected versions in your security plan, and coordinate with your hosting environment to ensure patched binaries are deployed across all instances and deployment slots.
Affected Versions
ASP.NET Core MVC 1.0.x up to 1.0.3 and 1.1.x up to 1.1.2; patched releases are 1.0.4 and 1.1.3 or newer
Code Fix Example
ASP.NET Core API Security Remediation
/* VULNERABLE pattern (pre-patch behavior) and FIXED pattern (post-patch behavior) */
using System;
using System.Text.Encodings.Web;
namespace AspNetCoreInjectionRemediation
{
class Program
{
static void Main(string[] args)
{
string input = new string('A', 400000); // crafted long input to stress encoder
// VULNERABLE pattern (pre-patch behavior): this path could trigger DoS on vulnerable library versions
string vulnerableEncoded = VulnerableEncode(input);
// FIXED pattern (post-patch behavior): after upgrading to patched ASP.NET Core / Encoding package
string fixedEncoded = FixedEncode(input);
Console.WriteLine("Vulnerable encoded length: " + vulnerableEncoded.Length);
Console.WriteLine("Fixed encoded length: " + fixedEncoded.Length);
}
// VULNERABLE pattern (pre-patch behavior)
// In older dependency versions (before 1.0.4 / 1.1.3), Encode could miscalculate length for long inputs
static string VulnerableEncode(string input)
{
return HtmlEncoder.Default.Encode(input);
}
// FIXED pattern (post-patch behavior)
// After upgrading to patched System.Text.Encodings.Web (1.0.4 / 1.1.3 or newer), encoding long inputs is safe
static string FixedEncode(string input)
{
return HtmlEncoder.Default.Encode(input);
}
}
}