CVE-2020-0603
Description
A remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka 'ASP.NET Core Remote Code Execution Vulnerability'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ASP.NET Core remote code execution vulnerability due to improper memory object handling allows unauthenticated attackers to execute arbitrary code via crafted requests.
Vulnerability
Overview CVE-2020-0603 is a remote code execution vulnerability in ASP.NET Core that arises when the software fails to properly handle objects in memory [4]. This affects applications using SignalR and specific packages, including Microsoft.AspNetCore.Http.Connections, Microsoft.AspNetCore.App, and Microsoft.AspNetCore.All [4].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to an ASP.NET Core application [4]. No authentication or special network position is required, making the attack surface broad.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user [4]. This could lead to full control over the application and potential data compromise.
Mitigation
Microsoft has released updates for .NET Core 2.1, 3.0, and 3.1, as well as patched packages [4]. Red Hat also provided patches via RHSA-2020:0130 and RHSA-2020:0134 [1][2]. Users should update to the secure versions listed in the advisory.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.AllNuGet | >= 2.1.0, < 2.1.15 | 2.1.15 |
Microsoft.AspNetCore.AppNuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.AppNuGet | >= 3.0.0, < 3.0.1 | 3.0.1 |
Microsoft.AspNetCore.AppNuGet | >= 2.1.0, < 2.1.15 | 2.1.15 |
Microsoft.AspNetCore.Http.ConnectionsNuGet | >= 1.0.0, < 1.0.15 | 1.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
14- osv-coords13 versionspkg:bitnami/aspnet-corepkg:nuget/microsoft.aspnetcore.allpkg:nuget/microsoft.aspnetcore.apppkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:nuget/microsoft.aspnetcore.http.connections
>= 2.1.0, < 2.1.1+ 12 more
- (no CPE)range: >= 2.1.0, < 2.1.1
- (no CPE)range: >= 2.1.0, < 2.1.15
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 1.0.0, < 1.0.15
- Microsoft/ASP.NET Corev5Range: 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2020:0130ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0134ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-655q-9gvg-q4cmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-0603ghsaADVISORY
- github.com/aspnet/Announcements/issues/403ghsaWEB
- github.com/github/advisory-database/issues/302ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0603ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.