CVE-2019-1075
Description
A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect, aka 'ASP.NET Core Spoofing Vulnerability'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirect spoofing vulnerability in ASP.NET Core allows attackers to redirect users to malicious sites via specially crafted URLs.
Vulnerability
CVE-2019-1075 is an open redirect spoofing vulnerability in ASP.NET Core. The flaw exists because ASP.NET Core improperly parses URLs, allowing an attacker to craft a URL that appears to redirect to a trusted site but actually leads to a malicious one [2][3].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted link and convincing a user to click it. No authentication or special privileges are required; the attack is a typical phishing vector [3].
Impact
Successful exploitation results in an open redirect, which can be used for phishing attacks to steal credentials or distribute malware by redirecting users to attacker-controlled websites [2][3].
Mitigation
Microsoft has released updates for affected packages: Microsoft.AspNetCore.Server.HttpSys, Microsoft.AspNetCore.Server.IIS, Microsoft.AspNetCore.All, and Microsoft.AspNetCore.App. Developers should update to the secure versions listed in the advisory [3]. No mitigating factors were identified.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.AppNuGet | >= 2.2.0, < 2.2.6 | 2.2.6 |
Microsoft.AspNetCore.AppNuGet | >= 2.1.0, < 2.1.12 | 2.1.12 |
Microsoft.AspNetCore.AllNuGet | >= 2.2.0, < 2.2.6 | 2.2.6 |
Microsoft.AspNetCore.AllNuGet | >= 2.1.0, < 2.1.12 | 2.1.12 |
Microsoft.AspNetCore.Server.IISNuGet | >= 2.2.0, < 2.2.6 | 2.2.6 |
Microsoft.AspNetCore.Server.HttpSysNuGet | >= 2.2.0, < 2.2.6 | 2.2.6 |
Microsoft.AspNetCore.Server.HttpSysNuGet | >= 2.1.0, < 2.1.12 | 2.1.12 |
Affected products
5- ghsa-coords4 versionspkg:nuget/microsoft.aspnetcore.allpkg:nuget/microsoft.aspnetcore.apppkg:nuget/microsoft.aspnetcore.server.httpsyspkg:nuget/microsoft.aspnetcore.server.iis
>= 2.2.0, < 2.2.6+ 3 more
- (no CPE)range: >= 2.2.0, < 2.2.6
- (no CPE)range: >= 2.2.0, < 2.2.6
- (no CPE)range: >= 2.2.0, < 2.2.6
- (no CPE)range: >= 2.2.0, < 2.2.6
- Microsoft/ASP.NET Corev5Range: 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-prrf-397v-83xhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1075ghsaADVISORY
- github.com/aspnet/Announcements/issues/373ghsaWEB
- github.com/github/advisory-database/issues/302ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1075ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.