CVE-2020-0602
Description
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-0602 is a remotely exploitable denial of service vulnerability in ASP.NET Core caused by improper handling of specially crafted web requests.
Vulnerability
Overview
CVE-2020-0602 is a denial of service (DoS) vulnerability in ASP.NET Core that arises when the framework improperly handles certain web requests [4]. The root cause lies in how ASP.NET Core processes incoming HTTP traffic; an error in request validation or resource management allows an attacker to trigger excessive resource consumption or application crash.
Exploitation
The attack surface is network-based and requires no authentication or user interaction [4]. A remote, unauthenticated attacker can exploit this vulnerability by sending a series of specially crafted requests to an ASP.NET Core application [2][4]. The vulnerability affects ASP.NET Core applications running on .NET Core 2.1, 3.0, or 3.1, particularly those using SignalR or packages like Microsoft.AspNetCore.Http.Connections [4].
Impact
Successful exploitation results in a denial of service, meaning the target ASP.NET Core web application becomes unresponsive or crashes, disrupting legitimate service availability [1][4]. No code execution or data access is reported.
Mitigation
Microsoft has released updates to address this vulnerability. Developers should upgrade their runtime/SDK and affected packages to secure versions: .NET Core 2.1.15, 3.0.1, or 3.1.1, and package Microsoft.AspNetCore.Http.Connections to 1.0.15 [4]. Red Hat has also shipped patched packages for .NET Core 3.0 on RHEL 8 [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.AllNuGet | >= 2.1.0, < 2.1.15 | 2.1.15 |
Microsoft.AspNetCore.AppNuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.AppNuGet | >= 3.0.0, < 3.0.1 | 3.0.1 |
Microsoft.AspNetCore.AppNuGet | >= 2.1.0, < 2.1.15 | 2.1.15 |
Microsoft.AspNetCore.Http.ConnectionsNuGet | >= 1.0.0, < 1.0.15 | 1.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
13- osv-coords12 versionspkg:bitnami/aspnet-corepkg:nuget/microsoft.aspnetcore.allpkg:nuget/microsoft.aspnetcore.apppkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:nuget/microsoft.aspnetcore.http.connections
>= 2.1.0, < 2.1.1+ 11 more
- (no CPE)range: >= 2.1.0, < 2.1.1
- (no CPE)range: >= 2.1.0, < 2.1.15
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 1.0.0, < 1.0.15
- Microsoft/ASP.NET Corev5Range: 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2020:0130ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0134ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-23cv-jh4v-vffmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-0602ghsaADVISORY
- github.com/aspnet/Announcements/issues/402ghsaWEB
- github.com/github/advisory-database/issues/302ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0602ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.