Impact
The flaw in ASP.NET Core stems from an uncontrolled allocation of system resources without limits or throttling, exposing a resource exhaustion weakness classified as CWE-770. This allows an unauthenticated external actor to consume memory or other key resources, ultimately disrupting application responsiveness and availability.
Affected Systems
The affected products are Microsoft ASP.NET Core runtime versions 8.0, 9.0, and 10.0, as well as any web applications that run on these framework versions. The Common Platform Enumeration indicates that environments such as Red Hat Enterprise Linux 8, 9, and 10.1 can host the vulnerable runtime. The vulnerability applies to all listed framework releases where developer-supplied resource limits are not in place.
Risk and Exploitability
The CVSS score of 7.5 signals a high severity level, while an EPSS of 3% indicates a moderately low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation is possible remotely via the network; an attacker can send crafted HTTP requests targeting the vulnerable application to trigger sustained resource consumption until the application or hosting server becomes unresponsive. No authentication or privileged access is required, and the attack vector relies solely on network connectivity to the affected endpoints. Based on the description, it is inferred that the attacker can achieve this without needing to compromise the underlying OS or enterprise environment. The deficiency also implies that any application built on the affected ASP.NET Core versions that does not impose its own resource controls is also at risk.
OpenCVE Enrichment
Github GHSA
Ubuntu USN