High severity7.5NVD Advisory· Published May 12, 2017· Updated May 13, 2026

CVE-2017-0247

Description

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.AspNetCore.MvcNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.MvcNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.CoreNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.CoreNuGet	>= 1.1.0, < 1.1.3	1.1.3
System.Net.HttpNuGet	>= 4.1.1, < 4.1.2	4.1.2
System.Net.HttpNuGet	>= 4.3.1, < 4.3.2	4.3.2
System.Text.Encodings.WebNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Text.Encodings.WebNuGet	>= 4.3.0, < 4.3.1	4.3.1
System.Net.Http.WinHttpHandlerNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Net.Http.WinHttpHandlerNuGet	>= 4.3.0, < 4.5.4	4.5.4
System.Net.SecurityNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Net.SecurityNuGet	>= 4.3.0, < 4.3.1	4.3.1
System.Net.WebSockets.ClientNuGet	>= 4.0.0, < 4.0.1	4.0.1
System.Net.WebSockets.ClientNuGet	>= 4.3.0, < 4.3.1	4.3.1
Microsoft.AspNetCore.Mvc.AbstractionsNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.AbstractionsNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.ApiExplorerNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.CorsNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.CorsNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.DataAnnotationsNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.Formatters.JsonNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.Formatters.XmlNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.LocalizationNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.LocalizationNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.Razor.HostNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.Razor.HostNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.RazorNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.RazorNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.TagHelpersNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.TagHelpersNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.ViewFeaturesNuGet	>= 1.1.0, < 1.1.3	1.1.3
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet	>= 1.0.0, < 1.0.4	1.0.4
Microsoft.AspNetCore.Mvc.WebApiCompatShimNuGet	>= 1.1.0, < 1.1.3	1.1.3

Affected products

102

Microsoft/Asp.net Model View Controller7 versions
cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:asp.net_model_view_controller:1.1.2:*:*:*:*:*:*:*
Microsoft/Microsoft.aspnetcore.mvc.abstractions7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.abstractions:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.apiexplorer7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.apiexplorer:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.cors7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.cors:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.dataannotations7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.dataannotations:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.formatters.JSON7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.json:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.formatters.XML7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.formatters.xml:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.localization7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.localization:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.razor7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.razor.host7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.razor.host:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.taghelpers7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.taghelpers:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.viewfeatures7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.viewfeatures:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/Microsoft.aspnetcore.mvc.webapicompatshim7 versions
cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.0:*:*:*:*:asp.net:*:*+ 6 more
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.2:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.0.3:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.1.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:microsoft.aspnetcore.mvc.webapicompatshim:1.1.2:*:*:*:*:asp.net:*:*
Microsoft/System.net.HTTP2 versions
cpe:2.3:a:microsoft:system.net.http:4.1.1:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.http:4.1.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.http:4.3.1:*:*:*:*:asp.net:*:*
Microsoft/System.net.HTTP.winhttphandler2 versions
cpe:2.3:a:microsoft:system.net.http.winhttphandler:4.0.1:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.http.winhttphandler:4.0.1:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.http.winhttphandler:4.3.0:*:*:*:*:asp.net:*:*
Microsoft/System.net.security2 versions
cpe:2.3:a:microsoft:system.net.security:4.0.0:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.security:4.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.security:4.3.0:*:*:*:*:asp.net:*:*
Microsoft/System.net.websockets.client2 versions
cpe:2.3:a:microsoft:system.net.websockets.client:4.0.0:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.net.websockets.client:4.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.net.websockets.client:4.3.0:*:*:*:*:asp.net:*:*
Microsoft/System.text.encodings.web2 versions
cpe:2.3:a:microsoft:system.text.encodings.web:4.0.0:*:*:*:*:asp.net:*:*+ 1 more
- cpe:2.3:a:microsoft:system.text.encodings.web:4.0.0:*:*:*:*:asp.net:*:*
- cpe:2.3:a:microsoft:system.text.encodings.web:4.3.0:*:*:*:*:asp.net:*:*
Microsoft Corporation/ASP.NET Corev5
Range: ASP.NET Core

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

technet.microsoft.com/en-us/library/security/4021279.aspxnvdPatchVendor AdvisoryWEB
www.sidertia.com/Home/Community/Blog/2017/05/18/ASPNET-Core-Unicode-Non-Char-Encoding-DoSnvdExploitThird Party AdvisoryWEB
github.com/advisories/GHSA-6xh7-4v2w-36q6ghsaADVISORY
github.com/aspnet/Announcements/issues/239nvdTechnical DescriptionThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-0247ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000