CVE-2025-26682: ASP.NET Core and Visual Studio Denial of Service Vulnerability

Overview

Severity: High (CVSS 7.5)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Category: Denial of Service
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2025-Apr
Released: 2025-04-08
EPSS Score: 47.03% (percentile: 97.7%)

Description

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Affected Products (6)

Developer Tools

ASP.NET Core 8.0
Microsoft Visual Studio 2022 version 17.12
Microsoft Visual Studio 2022 version 17.13
Microsoft Visual Studio 2022 version 17.8
Microsoft Visual Studio 2022 version 17.10
ASP.NET Core 9.0

Security Updates (6)

Acknowledgments

James Newton-King with Microsoft, James Newton-King with Microsoft

Revision History

2025-04-08: Information published.