Sensitive Data Exposure

Sensitive Data Exposure and ASP.NET Core remediation [CVE-2017-0247]

[Updated Sep 2026] Updated CVE-2017-0247

Overview

This guide centers on a real-world DoS vulnerability in ASP.NET Core described by CVE-2017-0247, which arises from insufficient validation in the text encoding path. The issue is rooted in the Unicode handling used by the System.Text.Encodings.Web package before the patched releases, where the EncodeCore logic could miscalculate lengths for certain 4-byte Unicode characters in the Non-Character range, enabling attackers to exhaust CPU and memory resources on affected servers. Although labeled as a DoS, the impact in practice is the unavailability of the service, which can indirectly lead to exposure risk for any sensitive data by rendering the application unavailable to legitimate users. The CVE is associated with CWE-20 (Improper Input Validation), highlighting how input handling in encoding paths can become a vector when edge-case characters are processed without correct bounds. The remediation hinges on applying the patched library versions and following recommended hardening steps to prevent resource exhaustion from malicious inputs. The guidance below references CVE-2017-0247 and explains how the vulnerability manifests in ASP.NET Core apps and how to fix it in C# code.

Affected Versions

ASP.NET Core MVC prior to 1.0.4 and ASP.NET Core MVC 1.1.x prior to 1.1.3; underlying System.Text.Encodings.Web prior to 1.0.4 and prior to 1.1.3.

Code Fix Example

ASP.NET Core API Security Remediation 
using System;
using System.Text;
using System.Text.Encodings.Web;

class Program
{
    static void Main()
    {
        // Simulated large input to illustrate potential impact of vulnerable vs fixed paths.
        string input = new string('A', 10000);

        // Vulnerable path (pre-patch / legacy behavior simulated by LegacyHtmlEncoder).
        string vulnerableEncoded = LegacyHtmlEncoder.Encode(input);

        // Fixed path (post-patch) using the updated library HtmlEncoder from System.Text.Encodings.Web.
        string fixedEncoded = HtmlEncoder.Default.Encode(input);

        Console.WriteLine("Vulnerable length: " + vulnerableEncoded.Length);
        Console.WriteLine("Fixed length: " + fixedEncoded.Length);
    }

    // This class is a stand-in to illustrate the vulnerable code path that could exist in older library versions.
    public static class LegacyHtmlEncoder
    {
        public static string Encode(string s)
        {
            var sb = new StringBuilder();
            foreach (char ch in s)
            {
                if (ch == '<') sb.Append("&lt;");
                else if (ch == '>') sb.Append("&gt;");
                else sb.Append(ch);
            }
            return sb.ToString();
        }
    }
}

CVE References

More ASP.NET Core API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.