Microsoft Identity Denial of service vulnerability
Description
Microsoft Identity Denial of service vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in .NET ASP.NET Core templates and Microsoft.IdentityModel allows unauthenticated attackers to exhaust server memory via malicious JWT or JWE tokens.
A denial of service vulnerability exists in ASP.NET Core project templates that use JWT-based authentication tokens, as well as in the Microsoft.IdentityModel library. The issue arises from improper handling of JWT and JWE tokens, allowing an attacker to craft tokens that cause excessive memory allocation and processing time during decompression [1][2][4].
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted JWT or JWE token to a server using affected project templates. For JWE tokens, the attacker must have access to the public encryption key registered with the identity provider. The token triggers high memory consumption when the server attempts to decompress or validate it, leading to potential out-of-memory conditions [1][4].
Successful exploitation results in a denial of service, where the server can no longer respond to legitimate requests. The CVSS score indicates a scope change, meaning the impact extends beyond the token processing to affect overall system availability [4].
Microsoft has released patches for this vulnerability. Users should update Microsoft.IdentityModel packages to version 7.1.2, 6.34.0, or 5.7.0 or higher. For ASP.NET Core projects, update the Microsoft.AspNetCore.Authentication.JwtBearer, Microsoft.AspNetCore.Authentication.OpenIdConnect, and Microsoft.IdentityModel.JsonWebTokens packages to the latest versions [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.IdentityModel.Tokens.JwtNuGet | < 5.7.0 | 5.7.0 |
System.IdentityModel.Tokens.JwtNuGet | >= 6.5.0, < 6.34.0 | 6.34.0 |
System.IdentityModel.Tokens.JwtNuGet | >= 7.0.0-preview, < 7.1.2 | 7.1.2 |
Microsoft.IdentityModel.JsonWebTokensNuGet | < 5.7.0 | 5.7.0 |
Microsoft.IdentityModel.JsonWebTokensNuGet | >= 6.5.0, < 6.34.0 | 6.34.0 |
Microsoft.IdentityModel.JsonWebTokensNuGet | >= 7.0.0-preview, < 7.1.2 | 7.1.2 |
Affected products
65- osv-coords52 versionspkg:apk/chainguard/aspnet-7-runtimepkg:apk/chainguard/aspnet-7-runtime-defaultpkg:apk/chainguard/aspnet-7-targeting-packpkg:apk/chainguard/dotnet-7pkg:apk/chainguard/dotnet-7-runtimepkg:apk/chainguard/dotnet-7-runtime-defaultpkg:apk/chainguard/dotnet-7-sdkpkg:apk/chainguard/dotnet-7-sdk-defaultpkg:apk/chainguard/dotnet-7-targeting-packpkg:apk/wolfi/aspnet-7-runtimepkg:apk/wolfi/aspnet-7-runtime-defaultpkg:apk/wolfi/aspnet-7-targeting-packpkg:apk/wolfi/dotnet-7pkg:apk/wolfi/dotnet-7-runtimepkg:apk/wolfi/dotnet-7-runtime-defaultpkg:apk/wolfi/dotnet-7-sdkpkg:apk/wolfi/dotnet-7-sdk-defaultpkg:apk/wolfi/dotnet-7-targeting-packpkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.identitymodel.jsonwebtokenspkg:nuget/system.identitymodel.tokens.jwtpkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-runtime-7.0pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-7.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-apphost-pack-7.0pkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-hostfxr-7.0pkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-runtime-7.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-7.0pkg:rpm/almalinux/dotnet-sdk-7.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-targeting-pack-7.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/dotnet-templates-7.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 7.0.120-r1+ 51 more
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: < 7.0.120-r1
- (no CPE)range: >= 6.0.0, < 6.0.26
- (no CPE)range: >= 6.0.0, < 6.0.26
- (no CPE)range: < 5.7.0
- (no CPE)range: < 5.7.0
- (no CPE)range: < 6.0.26-1.el9_3
- (no CPE)range: < 7.0.15-1.el9_3
- (no CPE)range: < 8.0.1-1.el8_9
- (no CPE)range: < 6.0.26-1.el9_3
- (no CPE)range: < 7.0.15-1.el9_3
- (no CPE)range: < 8.0.1-1.el8_9
- (no CPE)range: < 8.0.101-1.el8_9
- (no CPE)range: < 6.0.26-1.el9_3
- (no CPE)range: < 7.0.15-1.el9_3
- (no CPE)range: < 8.0.1-1.el8_9
- (no CPE)range: < 8.0.1-1.el8_9
- (no CPE)range: < 6.0.26-1.el9_3
- (no CPE)range: < 7.0.15-1.el9_3
- (no CPE)range: < 8.0.1-1.el8_9
- (no CPE)range: < 6.0.26-1.el9_3
- (no CPE)range: < 7.0.15-1.el9_3
- (no CPE)range: < 8.0.1-1.el8_9
- (no CPE)range: < 6.0.126-1.el9_3
- (no CPE)range: < 6.0.126-1.el9_3
- (no CPE)range: < 7.0.115-1.el9_3
- (no CPE)range: < 7.0.115-1.el9_3
- (no CPE)range: < 8.0.101-1.el8_9
- (no CPE)range: < 8.0.101-1.el8_9
- (no CPE)range: < 6.0.26-1.el9_3
- (no CPE)range: < 7.0.15-1.el9_3
- (no CPE)range: < 8.0.1-1.el8_9
- (no CPE)range: < 6.0.126-1.el9_3
- (no CPE)range: < 7.0.115-1.el9_3
- (no CPE)range: < 8.0.101-1.el8_9
- (no CPE)range: < 8.0.101-1.el8_9
- Microsoft/Microsoft Identity Model v5.0.0v5Range: 5.0
- Microsoft/Microsoft Identity Model v5.0.0 for Nugetv5Range: 5.0
- Microsoft/Microsoft Identity Model v6.0.0v5Range: 6.0
- Microsoft/Microsoft Identity Model v6.0.0 forNugetv5Range: 6.0
- Microsoft/Microsoft Identity Model v7.0.0v5Range: 7.0
- Microsoft/Microsoft Identity Model v7.0.0 for Nugetv5Range: 7.0
- Microsoft/Microsoft Visual Studio 2022 version 17.2v5Range: 17.2.0
- Microsoft/Microsoft Visual Studio 2022 version 17.4v5Range: 17.4.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 7.0v5Range: 7.0.0
- Microsoft/.NET 8.0v5Range: 8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-59j7-ghrg-fj52ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21319mitrevendor-advisory
- github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2ghsaWEB
- github.com/dotnet/announcements/issues/290ghsaWEB
- github.com/dotnet/aspnetcore/security/advisories/GHSA-59j7-ghrg-fj52ghsaWEB
News mentions
0No linked articles in our index yet.