Security Misconfiguration - ASP.NET Core [Mar 2026] [CVE-2017-0247]

The CVE-2017-0247 vulnerability is a denial-of-service flaw in ASP.NET Core MVC caused by the TextEncoder.EncodeCore function miscalculating lengths for certain 4-byte Unicode characters in the Non-Character range. This faulty length calculation can lead to excessive CPU usage when processing crafted requests, allowing an attacker to degrade or deny service for affected endpoints. In practice, attackers could send requests that trigger the vulnerable encoding path (often when user input is encoded for HTML or JSON responses). The DoS arises because the encoding library may allocate disproportionately large buffers or execute lengthy loops, exhausting server resources and impacting availability for legitimate users. Microsoft addressed the issue by releasing patched versions of the encoding library and ASP.NET Core. Upgrading to System.Text.Encodings.Web version 1.0.4 or 1.1.3 (and updating affected ASP.NET Core components) fixes the miscalculation and mitigates this DoS risk. After patching, existing encoding calls such as HtmlEncoder.Encode are safeguarded. This vulnerability is a security misconfiguration in dependency management: applications that pin old library versions or delay patching remain exposed. As a best practice, regularly scan for CVEs in dependencies and apply patches promptly, especially for libraries involved in request processing and output encoding.