VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 6, 2019· Updated Aug 4, 2024

CVE-2019-0657

CVE-2019-0657

Description

A vulnerability exists in certain .Net Framework API's and Visual Studio in the way they parse URL's, aka '.NET Framework and Visual Studio Spoofing Vulnerability'.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

.NET Framework and .NET Core fail to properly parse URLs with International Domain Name encoding, enabling domain spoofing attacks that can redirect users to malicious sites.

Vulnerability

CVE-2019-0657 is a spoofing vulnerability in the .NET Framework and .NET Core URI parsing APIs, including those used by Visual Studio. The flaw causes the meaning of a URI to change when International Domain Name (IDN) encoding is applied [1][2]. Affected software includes .NET Core 1.0, 1.1, 2.1, and 2.2 applications using the System.Private.Uri package (vulnerable versions 4.3.0) or the Microsoft.NETCore.App package (vulnerable versions 2.1.0 through 2.1.7, 2.2.0, and 2.2.1) [3]. Applications that parse URLs via these libraries without proper validation are at risk.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URI that uses IDN encoding to represent a legitimate domain. When the vulnerable .NET API parses such a URI, the decoded result points to an attacker-controlled domain instead of the intended one [1]. No authentication or user interaction beyond visiting a crafted link or loading content that triggers URI parsing is required; the attack is network-accessible.

Impact

Successful exploitation allows an attacker to perform domain spoofing, redirecting users to a malicious site that appears to be legitimate [3]. This can be used in phishing attacks to deceive users into revealing credentials or downloading malware. The vulnerability primarily impacts the integrity of the displayed URL and can lead to information disclosure or credential theft.

Mitigation

Microsoft released updated packages to fix the vulnerability: System.Private.Uri version 4.3.1 and Microsoft.NETCore.App versions 2.1.8 and 2.2.2 [3]. Red Hat also provided updates for .NET Core on Red Hat Enterprise Linux via RHSA-2019:0349 [1]. Developers should update their applications to use the patched versions. No workarounds are known [3].

References
  1. https://access.redhat.com/errata/RHSA-2019:0349
  2. .NET / ASP .NET CVEs package vulnerabilities backfill
  3. Microsoft Security Advisory CVE-2019-0657: .NET Core Domain Spoofing Vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.NETCore.AppNuGet
>= 2.2.0, < 2.2.22.2.2
Microsoft.NETCore.AppNuGet
>= 2.1.0, < 2.1.82.1.8
System.Private.UriNuGet
>= 4.3.0, < 4.3.24.3.2

Affected products

18
  • ghsa-coords2 versions
    pkg:nuget/microsoft.netcore.apppkg:nuget/system.private.uri
    >= 2.2.0, < 2.2.2+ 1 more
    • (no CPE)range: >= 2.2.0, < 2.2.2
    • (no CPE)range: >= 4.3.0, < 4.3.2
  • Microsoft/Microsoft .NET Framework 2.0v5
    Range: Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Microsoft/Microsoft .NET Framework 3.0v5
    Range: Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Microsoft/Microsoft .NET Framework 3.5v5
    Range: Windows Server 2012
  • Microsoft/Microsoft .NET Framework 3.5.1v5
    Range: Windows 7 for 32-bit Systems Service Pack 1
  • Microsoft/Microsoft .NET Framework 4.5.2v5
    Range: Windows 7 for 32-bit Systems Service Pack 1
  • Microsoft/Microsoft .NET Framework 4.6v5
    Range: Windows Server 2008 for 32-bit Systems Service Pack 2
  • Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5
    Range: Windows Server 2016
  • Microsoft/Microsoft .NET Framework 4.6/4.6.1/4.6.2v5
    Range: Windows 10 for 32-bit Systems
  • Microsoft/Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2v5
    Range: Windows 7 for 32-bit Systems Service Pack 1
  • Microsoft/Microsoft .NET Framework 4.7.1/4.7.2v5
    Range: Windows 10 Version 1709 for 32-bit Systems
  • Microsoft/Microsoft .NET Framework 4.7.2v5
    Range: Windows 10 Version 1803 for 32-bit Systems
  • Microsoft/Microsoft .NET Framework 4.7/4.7.1/4.7.2v5
    Range: Windows 10 Version 1703 for 32-bit Systems
  • Microsoft/Microsoft Visual Studiov5
    Range: 2017
  • Microsoft/Microsoft Visual Studio 2017v5
    Range: version 15.9
  • Microsoft/.NET Corev5
    Range: 1
  • Microsoft/PowerShell Corev5
    Range: 6.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.