CVE-2017-0247

Name: CVE-2017-0247
Creator: NVD / NIST
Published: 2017-05-12T14:29:03.91+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 16.91%

Last modified Jun 17, 2026

CVE-2017-0247 is a vulnerability of currently unknown severity. A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.. EPSS estimates a 16.91% chance of exploitation in the next 30 days.

Description

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

Metrics

EPSS Probability

16.91%

96.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

Affected Software

Vendor	Product	Versions
Microsoft	Asp.Net Model View Controller	1.0.0
Microsoft	Asp.Net Model View Controller	1.0.1
Microsoft	Asp.Net Model View Controller	1.0.2
Microsoft	Asp.Net Model View Controller	1.0.3
Microsoft	Asp.Net Model View Controller	1.1.0
Microsoft	Asp.Net Model View Controller	1.1.1
Microsoft	Asp.Net Model View Controller	1.1.2
Microsoft	Microsoft.Aspnetcore.Mvc.Abstractions	1.0.0
Microsoft	Microsoft.Aspnetcore.Mvc.Abstractions	1.0.1
Microsoft	Microsoft.Aspnetcore.Mvc.Abstractions	1.0.2
Microsoft	Microsoft.Aspnetcore.Mvc.Abstractions	1.0.3
Microsoft	Microsoft.Aspnetcore.Mvc.Abstractions	1.1.0
Microsoft	Microsoft.Aspnetcore.Mvc.Abstractions	1.1.1
Microsoft	Microsoft.Aspnetcore.Mvc.Abstractions	1.1.2
Microsoft	Microsoft.Aspnetcore.Mvc.Apiexplorer	1.0.0
Microsoft	Microsoft.Aspnetcore.Mvc.Apiexplorer	1.0.1
Microsoft	Microsoft.Aspnetcore.Mvc.Apiexplorer	1.0.2
Microsoft	Microsoft.Aspnetcore.Mvc.Apiexplorer	1.0.3
Microsoft	Microsoft.Aspnetcore.Mvc.Apiexplorer	1.1.0
Microsoft	Microsoft.Aspnetcore.Mvc.Apiexplorer	1.1.1
Microsoft	Microsoft.Aspnetcore.Mvc.Apiexplorer	1.1.2
Microsoft	Microsoft.Aspnetcore.Mvc.Cors	1.0.0
Microsoft	Microsoft.Aspnetcore.Mvc.Cors	1.0.1
Microsoft	Microsoft.Aspnetcore.Mvc.Cors	1.0.2
Microsoft	Microsoft.Aspnetcore.Mvc.Cors	1.0.3
Microsoft	Microsoft.Aspnetcore.Mvc.Cors	1.1.0
Microsoft	Microsoft.Aspnetcore.Mvc.Cors	1.1.1
Microsoft	Microsoft.Aspnetcore.Mvc.Cors	1.1.2
Microsoft	Microsoft.Aspnetcore.Mvc.Dataannotations	1.0.0
Microsoft	Microsoft.Aspnetcore.Mvc.Dataannotations	1.0.1
Microsoft	Microsoft.Aspnetcore.Mvc.Dataannotations	1.0.2
Microsoft	Microsoft.Aspnetcore.Mvc.Dataannotations	1.0.3
Microsoft	Microsoft.Aspnetcore.Mvc.Dataannotations	1.1.0
Microsoft	Microsoft.Aspnetcore.Mvc.Dataannotations	1.1.1
Microsoft	Microsoft.Aspnetcore.Mvc.Dataannotations	1.1.2
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Json	1.0.0
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Json	1.0.1
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Json	1.0.2
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Json	1.0.3
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Json	1.1.0
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Json	1.1.1
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Json	1.1.2
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Xml	1.0.0
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Xml	1.0.1
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Xml	1.0.2
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Xml	1.0.3
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Xml	1.1.0
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Xml	1.1.1
Microsoft	Microsoft.Aspnetcore.Mvc.Formatters.Xml	1.1.2
Microsoft	Microsoft.Aspnetcore.Mvc.Localization	1.0.0

Showing 50 of 101 affected configurations. See NVD for the full list.

References

https://github.com/aspnet/Announcements/issues/239Technical Description, Third Party Advisory
https://technet.microsoft.com/en-us/library/security/4021279.aspxPatch, Vendor Advisory
https://www.sidertia.com/Home/Community/Blog/2017/05/18/ASPNET-Core-Unicode-Non-Char-Encoding-DoSExploit, Third Party Advisory
https://github.com/aspnet/Announcements/issues/239Technical Description, Third Party Advisory
https://technet.microsoft.com/en-us/library/security/4021279.aspxPatch, Vendor Advisory
https://www.sidertia.com/Home/Community/Blog/2017/05/18/ASPNET-Core-Unicode-Non-Char-Encoding-DoSExploit, Third Party Advisory

Timeline

Published: May 12, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-0247?

How severe is CVE-2017-0247?

Severity scoring for CVE-2017-0247 is pending analysis. The EPSS model estimates a 16.91% probability of exploitation in the next 30 days.

How do I fix CVE-2017-0247?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-0247?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST