CVE-2020-1161
Description
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ASP.NET Core improperly handles web requests, allowing remote unauthenticated attackers to cause denial of service via crafted requests.
Vulnerability
Overview CVE-2020-1161 is a denial-of-service (DoS) vulnerability in ASP.NET Core that arises when the framework improperly handles certain web requests. The root cause is a flaw in request processing logic that can be triggered by specially crafted input [1].
Exploitation
Details The vulnerability is remotely exploitable without authentication. An attacker can send a series of malicious requests to an affected ASP.NET Core application, causing excessive resource consumption or an unhandled exception that leads to a denial of service [2]. No special privileges or network position beyond standard internet access is required.
Impact
Successful exploitation allows an unauthenticated attacker to make the ASP.NET Core application unresponsive, disrupting service availability. The impact is limited to denial of service; no data disclosure or elevation of privilege is indicated [1][2].
Mitigation
Microsoft released an update that corrects how ASP.NET Core handles web requests, eliminating the vulnerability. The fix is included in .NET Core 3.1.4 and later. Users should update their runtime or SDK to the latest 3.1.x version. .NET Core 3.0, which is out of support, should be upgraded to 3.1 [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 3.1.0, < 3.1.4 | 3.1.4 |
Affected products
15- osv-coords10 versionspkg:bitnami/aspnet-corepkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86
>= 3.1.0, < 3.1.1+ 9 more
- (no CPE)range: >= 3.1.0, < 3.1.1
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- (no CPE)range: >= 3.1.0, < 3.1.4
- Microsoft/ASP.NET Corev5Range: 3.1
- Microsoft/Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8)v5Range: unspecified
- Microsoft/Microsoft Visual Studio 2019v5Range: 16.0
- Microsoft/Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)v5Range: unspecified
- Microsoft/Microsoft Visual Studio 2019 version 16.5v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3cf7-7wq6-8842ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1161ghsaADVISORY
- github.com/aspnet/Announcements/issues/416ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1161ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.