CVE-2019-0564
Description
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability." This affects ASP.NET Core 2.1. This CVE ID is unique from CVE-2019-0548.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in ASP.NET Core 2.1 and 2.2 allows remote unauthenticated attackers to cause a denial of service via specially crafted requests.
Vulnerability
A denial of service vulnerability exists in ASP.NET Core when it improperly handles specially crafted web requests [3]. The flaw affects ASP.NET Core 2.1 and 2.2, specifically in the packages Microsoft.AspNetCore.WebSockets, Microsoft.AspNetCore.Server.Kestrel.Core, System.Net.WebSockets.WebSocketProtocol, Microsoft.NETCore.App, Microsoft.AspNetCore.App, and Microsoft.AspNetCore.All [3]. The vulnerable versions are listed in the Microsoft advisory [3]; for example, Microsoft.AspNetCore.WebSockets versions 2.2.0, 2.1.0, and 2.1.1 are vulnerable.
Exploitation
A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to an affected ASP.NET Core application [3]. No special privileges or user interaction is required.
Impact
Successful exploitation causes a denial of service condition, making the ASP.NET Core web application unavailable [3]. The attacker does not gain any other access or control; the impact is limited to availability.
Mitigation
Microsoft has released updates to address the vulnerability [3]. The secure versions are: Microsoft.AspNetCore.WebSockets (2.2.1 or 2.1.7), Microsoft.AspNetCore.Server.Kestrel.Core (2.1.7), System.Net.WebSockets.WebSocketProtocol (4.5.3), Microsoft.NETCore.App (2.2.1 or 2.1.7), Microsoft.AspNetCore.App (2.2.1 or 2.1.7), and Microsoft.AspNetCore.All (2.2.1 or 2.1.7) [3]. No workarounds or mitigating factors have been identified [3]. Users should update their applications to the latest patched versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.WebSocketsNuGet | >= 2.2.0, < 2.2.1 | 2.2.1 |
Microsoft.AspNetCore.WebSocketsNuGet | >= 2.1.0, < 2.1.7 | 2.1.7 |
Microsoft.AspNetCore.Server.Kestrel.CoreNuGet | >= 2.1.0, < 2.1.7 | 2.1.7 |
System.Net.WebSockets.WebSocketProtocolNuGet | >= 4.5.0, < 4.5.3 | 4.5.3 |
Microsoft.NETCore.AppNuGet | >= 2.2.0, < 2.2.1 | 2.2.1 |
Microsoft.NETCore.AppNuGet | >= 2.1.0, < 2.1.7 | 2.1.7 |
Microsoft.AspNetCore.AppNuGet | >= 2.2.0, < 2.2.1 | 2.2.1 |
Microsoft.AspNetCore.AppNuGet | >= 2.1.0, < 2.1.7 | 2.1.7 |
Microsoft.AspNetCore.AllNuGet | >= 2.2.0, < 2.2.1 | 2.2.1 |
Microsoft.AspNetCore.AllNuGet | >= 2.1.0, < 2.1.7 | 2.1.7 |
Affected products
7- ghsa-coords6 versionspkg:nuget/microsoft.aspnetcore.allpkg:nuget/microsoft.aspnetcore.apppkg:nuget/microsoft.aspnetcore.server.kestrel.corepkg:nuget/microsoft.aspnetcore.websocketspkg:nuget/microsoft.netcore.apppkg:nuget/system.net.websockets.websocketprotocol
>= 2.2.0, < 2.2.1+ 5 more
- (no CPE)range: >= 2.2.0, < 2.2.1
- (no CPE)range: >= 2.2.0, < 2.2.1
- (no CPE)range: >= 2.1.0, < 2.1.7
- (no CPE)range: >= 2.2.0, < 2.2.1
- (no CPE)range: >= 2.2.0, < 2.2.1
- (no CPE)range: >= 4.5.0, < 4.5.3
- Microsoft/ASP.NET Corev5Range: 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2019:0040ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-6px8-22w5-w334ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0564ghsaADVISORY
- www.securityfocus.com/bid/106413ghsavdb-entryx_refsource_BIDWEB
- github.com/aspnet/Announcements/issues/334ghsaWEB
- github.com/github/advisory-database/issues/302ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0564ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.