Unrestricted Resource Consumption

Unrestricted Resource Consumption in ASP.NET Core [CVE-2017-0249]

[Updated 2026-03] Updated CVE-2017-0249

Overview

CVE-2017-0249 is an elevation of privilege vulnerability in ASP.NET Core that arises when web requests are not properly sanitized, falling under CWE-20 (Improper Input Validation). The CVE highlights how insufficient input sanitization can allow attackers to influence application behavior and potentially escalate privileges in affected deployments. In practice, this class of vulnerabilities can enable resource exhaustion if inputs drive unbounded processing, memory use, or I/O on the server. This guide explains how improper input validation in ASP.NET Core can indirectly cause unrestricted resource consumption, leading to degraded service or denial of service when attackers craft oversized or malformed requests. By failing to bound and sanitize request data, attackers may trigger heavy processing paths, speculative I/O, or complex model binding that consumes disproportionate resources. The guidance here references CVE-2017-0249 and CWE-20 to illustrate the risk pattern and concrete remediation steps. Remediation focuses on strict input validation and resource bounding. Apply per-endpoint or global request size limits, configure Kestrel and IIS limits, validate inputs early in the pipeline, and consider middleware to enforce consistent constraints across routes. The included code sample demonstrates a vulnerable pattern and a robust fix in real ASP.NET Core C# code aligned with the CVE and CWE guidance.

Code Fix Example

ASP.NET Core API Security Remediation 
// Vulnerable and Fixed ASP.NET Core example (C#)
using System.IO;
using System.Text;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;

[ApiController]
[Route("[controller]")]
public class ResourceController : ControllerBase
{
    // Vulnerable pattern: reads entire body without bounds
    [HttpPost("vulnerable")] 
    public async Task<IActionResult> Vulnerable()
    {
        using (var reader = new StreamReader(Request.Body, Encoding.UTF8, true, 1024, leaveOpen: false))
        {
            var content = await reader.ReadToEndAsync();
            // Process content without bounds
        }
        return Ok();
    }

    // Fixed pattern: enforce size limit via attribute
    [HttpPost("fixed")]
    [RequestSizeLimit(1024 * 1024)] // 1 MB
    public async Task<IActionResult> Fixed()
    {
        using (var reader = new StreamReader(Request.Body, Encoding.UTF8))
        {
            var content = await reader.ReadToEndAsync();
            // Process content safely
        }
        return Ok();
    }
}

CVE References

More ASP.NET Core API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.