CVE-2023-38180

What is Microsoft .NET Core / ASP.NET Core?

.NET Core (now simply ".NET") is Microsoft's cross-platform, open-source runtime for building web applications, APIs, microservices, and cloud-native services. ASP.NET Core is the web framework built on .NET Core, and Kestrel is its built-in, cross-platform web server. ASP.NET Core and Kestrel power a large proportion of Microsoft-ecosystem web applications and APIs, making denial-of-service vulnerabilities in this stack broadly impactful — any organization running ASP.NET Core web applications or APIs without reverse proxies that filter malformed requests is potentially exposed.

Overview

CVE-2023-38180 is a denial-of-service vulnerability in .NET Core and Visual Studio that allows an unauthenticated remote attacker to crash or hang a .NET application by sending specially crafted HTTP requests. Microsoft patched it in the August 2023 Patch Tuesday release as an actively exploited zero-day. CISA added it to the KEV catalog the following day, reflecting confirmed active exploitation — notable for a DoS vulnerability, which is typically considered lower severity than code execution bugs.

Affected Versions

Technical Details

The vulnerability affects ASP.NET Core applications using the Kestrel web server when handling specific types of crafted HTTP requests. An unauthenticated attacker can send requests that trigger excessive resource consumption — CPU spinning, memory exhaustion, or thread pool starvation — causing the application to become unresponsive or crash.

The specific mechanism involves how ASP.NET Core's request pipeline processes malformed or specially structured HTTP inputs. Without adequate protection (such as a reverse proxy that validates or rate-limits requests before they reach Kestrel), an attacker can send a stream of such requests to degrade or completely deny service to legitimate users.

In the context of the August 2023 period, this vulnerability class is related to but distinct from the broader HTTP/2 "Rapid Reset" attack (CVE-2023-44487, disclosed October 2023). CVE-2023-38180 predates the public Rapid Reset disclosure and targets a different mechanism within the .NET stack.

The zero-day status and KEV addition for a DoS-only vulnerability indicate the exploitation was significant enough to impact critical services — likely targeted attacks against specific .NET-powered government or infrastructure services rather than mass opportunistic exploitation.

Discovery

Microsoft credited an anonymous reporter. Active exploitation at the time of disclosure indicates the vulnerability was known to and used by threat actors before the patch was available.

Exploitation Context

Denial-of-service attacks against critical web applications and APIs can have serious operational impact — taking down a web application serving healthcare, government services, financial transactions, or emergency communications causes real-world harm proportional to the targeted service. The zero-day status suggests targeted disruption campaigns rather than random DoS attempts. CISA's same-day KEV addition reflects urgency even for an availability-only impact vulnerability.

Remediation

1. Update .NET runtime to 6.0.21, 7.0.10 or later via dotnet --version and dotnet sdk check, then download updated runtimes from dot.net or via system package managers.
2. Update Visual Studio 2022 to the August 2023 release via Visual Studio Update or the Visual Studio Installer.
3. Deploy a reverse proxy (nginx, IIS, Azure Application Gateway, Cloudflare) in front of Kestrel-based applications — reverse proxies can absorb and filter malformed requests before they reach the application, significantly reducing DoS exposure.
4. Enable rate limiting in ASP.NET Core using the RateLimiter middleware (available in .NET 7+) to limit request rates from individual IPs.
5. Set request size and connection limits in Kestrel configuration (MaxConcurrentConnections, MaxRequestBodySize) to reduce the impact of resource exhaustion attacks.
6. Monitor application health — set up alerts for response time degradation, thread pool exhaustion, and memory pressure so DoS attempts can be detected quickly.