VYPR
← All advisories
High severityNVD Advisory· Published May 16, 2019· Updated Aug 4, 2024

CVE-2019-0980

CVE-2019-0980

Description

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0981.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote unauthenticated attacker can trigger a denial of service against .NET Core and ASP.NET Core applications by sending specially crafted web requests.

Root

Cause

CVE-2019-0980 is a denial of service (DoS) vulnerability in .NET Framework and .NET Core that arises when the software improperly handles certain web requests. This improper handling occurs in the System.Private.Uri package, specifically versions 4.3.0 and 4.3.1 [3]. The vulnerability can be exploited remotely without authentication, making it accessible over the network [3].

Exploitation

An attacker can exploit this flaw by sending specially crafted HTTP requests to a vulnerable .NET Core or ASP.NET Core application. No prior authentication is required, and no user interaction is needed [3]. The attack surface is broad, as the flaw affects applications using the System.Private.Uri package across .NET Core 1.0, 1.1, 2.1, and 2.2, as well as corresponding ASP.NET Core versions [3].

Impact

Successful exploitation results in a denial of service condition, causing the targeted application to become unresponsive or crash. This can disrupt services and availability for legitimate users. The vulnerability is rated with a CVSS base score of 7.5 (High) according to NVD metrics [2], and Microsoft has noted no mitigating factors [3].

Mitigation

Microsoft has released an updated version of the System.Private.Uri package (4.3.2) that corrects the request handling flaw [3]. Patches are delivered through updated .NET Core runtimes and SDKs. Developers are advised to install the latest .NET Core runtime or SDK for their supported version. Affected software includes .NET Core 1.0, 1.1, 2.1, and 2.2, and corresponding ASP.NET Core applications [3].

References
  1. NVD - CVE-2019-0980
  2. Microsoft Security Advisory CVE-2019-0980: .NET Core Denial of Service Vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
System.Private.UriNuGet
>= 4.3.0, < 4.3.24.3.2

Affected products

50
  • Microsoft/.net Frameworkllm-fuzzy
  • .NET Core/.NET Corellm-fuzzy
  • ghsa-coords
    pkg:nuget/system.private.uri
    Range: >= 4.3.0, < 4.3.2
  • Microsoft/Microsoft .NET Frameworkcpe-rescue11 versions
    Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2+ 10 more
    • (no CPE)range: Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
    • (no CPE)range: Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
    • (no CPE)range: Windows Server 2012
    • (no CPE)range: Windows 7 for 32-bit Systems Service Pack 1
    • (no CPE)range: Windows 7 for 32-bit Systems Service Pack 1
    • (no CPE)range: Windows Server 2008 for 32-bit Systems Service Pack 2
    • (no CPE)range: Windows Server 2016
    • (no CPE)range: Windows 7 for 32-bit Systems Service Pack 1
    • (no CPE)range: Windows 10 Version 1709 for 32-bit Systems
    • (no CPE)range: Windows 10 Version 1803 for 32-bit Systems
    • (no CPE)range: Windows 10 Version 1703 for 32-bit Systems
  • Microsoft/Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 on Windows Server, version 1903 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.6.2 on Windows 10 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.6.2 on Windows 10 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for ARM64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows RT 8.1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 R2v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2016v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2019v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server, version 1903 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Aspnetcorecpe-rescue
    Range: 1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.