CVE-2018-8409
Description
A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka "System.IO.Pipelines Denial of Service." This affects .NET Core 2.1, System.IO.Pipelines, ASP.NET Core 2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in System.IO.Pipelines allows unauthenticated remote attackers to cause a DoS via specially crafted requests.
Vulnerability
A denial of service vulnerability exists in System.IO.Pipelines when it improperly handles requests. This affects .NET Core 2.1, System.IO.Pipelines, and ASP.NET Core 2.1. The vulnerable versions are Microsoft.AspNetCore.All >= 2.1.0, <= 2.1.3, Microsoft.AspNetCore.App >= 2.1.0, <= 2.1.3, and System.IO.Pipelines (NuGet) [1][2].
Exploitation
An attacker can exploit this vulnerability by sending specially crafted requests to an application that uses the affected System.IO.Pipelines library. No authentication is required, and the attack can be performed remotely without user interaction [1].
Impact
Successful exploitation results in a denial of service condition, causing the application to become unresponsive or crash. The vulnerability does not allow code execution or privilege escalation; it only impacts availability [1][2].
Mitigation
Microsoft released updates in October 2018 that address this vulnerability. Users should upgrade to Microsoft.AspNetCore.All 2.1.4 or later, Microsoft.AspNetCore.App 2.1.4 or later, and System.IO.Pipelines 4.5.2 or later. No workarounds are documented [2]. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.AllNuGet | >= 2.1.0, < 2.1.4 | 2.1.4 |
Microsoft.AspNetCore.AppNuGet | >= 2.1.0, < 2.1.4 | 2.1.4 |
System.IO.PipelinesNuGet | >= 4.5.0, < 4.5.1 | 4.5.1 |
Affected products
6- ghsa-coords3 versions
>= 2.1.0, < 2.1.4+ 2 more
- (no CPE)range: >= 2.1.0, < 2.1.4
- (no CPE)range: >= 2.1.0, < 2.1.4
- (no CPE)range: >= 4.5.0, < 4.5.1
- Microsoft/ASP.NET Corev5Range: 2.1
- Microsoft/.NET Corev5Range: 2.1
- Microsoft/System.IO.Pipelinesv5Range: System.IO.Pipelines
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j378-6mmw-hqfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8409ghsaADVISORY
- www.securityfocus.com/bid/105223ghsavdb-entryx_refsource_BIDWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8409ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.