Overview
ASP.NET Core would fail to properly validate certain web requests when encoding content, allowing an attacker to cause Denial of Service by exploiting how Unicode 4-byte characters are length-calculated during encoding. This surfaced as a vulnerability tied to the TextEncoder.EncodeCore function in System.Text.Encodings.Web used by ASP.NET Core MVC prior to patching. The issue is categorized under CWE-20 (Input Validation) and can be triggered by crafted payloads that push excessive processing time in the encoding path, consuming CPU resources and potentially starving legitimate requests. CVE-2017-0247 documents this DoS risk and notes that updates to patched versions are required to mitigate the vulnerability.
Affected Versions
ASP.NET Core MVC before 1.0.4 and 1.1.x before 1.1.3; patched in 1.0.4 and 1.1.3 (via System.Text.Encodings.Web updates).
Code Fix Example
ASP.NET Core API Security Remediation
// Vulnerable pattern (demonstrates the surface area affected by the older encoding logic)
using Microsoft.AspNetCore.Mvc;
using System.Text;
using System.Text.Encodings.Web;
namespace Demo
{
public class VulnerableController : Controller
{
[HttpGet("/vuln")]
public IActionResult Vuln(string input)
{
// Vulnerable: relies on an older System.Text.Encodings.Web implementation
var encoded = HtmlEncoder.Default.Encode(input);
return Content(encoded, "text/plain");
}
}
}
// Fixed: upgrade System.Text.Encodings.Web to a patched version (1.0.4 / 1.1.3) - code path remains the same
namespace Demo
{
public class FixedController : Controller
{
[HttpGet("/fixed")]
public IActionResult Fixed(string input)
{
var encoded = HtmlEncoder.Default.Encode(input);
return Content(encoded, "text/plain");
}
}
}