ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability
Description
ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ASP.NET Core SignalR connections using a Redis backplane can leak information to unauthorized users due to an authentication bypass.
Vulnerability
Overview
CVE-2023-35391 is an information disclosure vulnerability in ASP.NET Core SignalR when configured with a Redis backplane. The root cause lies in the Redis backplane implementation failing to properly enforce connection authentication, potentially allowing an attacker to receive messages intended for other users [1][2].
Exploitation
The vulnerability affects ASP.NET Core 2.1, .NET 6.0, and .NET 7.0 applications using SignalR with a Redis backplane. An attacker who can connect to the SignalR hub may be able to subscribe to groups or receive messages without proper authorization, bypassing the application's authentication checks. No additional mitigating factors were identified by Microsoft [1][2].
Impact
A successful exploit could lead to information disclosure, where an attacker gains access to sensitive data transmitted over SignalR connections. This includes any messages or data exchanged within SignalR groups that the attacker is not authorized to receive [1][2].
Mitigation
Microsoft has released updates to address this vulnerability. Users should upgrade the relevant NuGet packages to the patched versions: for .NET 7.0, update Microsoft.AspNetCore.SignalR.StackExchangeRedis to 7.0.10 or later; for .NET 6.0, update to 6.0.21 or later; and for ASP.NET Core 2.1, update Microsoft.AspNetCore.SignalR.Redis to version 1.0.40 or later. No workarounds are available [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.SignalR.StackExchangeRedisNuGet | >= 7.0.0, < 7.0.10 | 7.0.10 |
Microsoft.AspNetCore.SignalR.StackExchangeRedisNuGet | >= 6.0.0, < 6.0.21 | 6.0.21 |
Microsoft.AspNetCore.SignalR.RedisNuGet | < 1.0.40 | 1.0.40 |
Affected products
11- osv-coords5 versionspkg:bitnami/aspnet-corepkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.signalr.redispkg:nuget/microsoft.aspnetcore.signalr.stackexchangeredis
>= 2.1.0, < 2.1.40+ 4 more
- (no CPE)range: >= 2.1.0, < 2.1.40
- (no CPE)range: >= 6.0.0, < 6.0.21
- (no CPE)range: >= 6.0.0, < 6.0.21
- (no CPE)range: < 1.0.40
- (no CPE)range: >= 7.0.0, < 7.0.10
- Microsoft/ASP.NET Core 2.1v5Range: 2.0
- Microsoft/Microsoft Visual Studio 2022 version 17.2v5Range: 17.2.0
- Microsoft/Microsoft Visual Studio 2022 version 17.4v5Range: 17.4.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 7.0v5Range: 7.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-j8rm-cm55-qqj6ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35391ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-35391ghsaADVISORY
- github.com/dotnet/announcements/issues/267ghsaWEB
- github.com/dotnet/aspnetcore/security/advisories/GHSA-j8rm-cm55-qqj6ghsaWEB
News mentions
0No linked articles in our index yet.