CVE-2024-21404 - .NET Denial of Service Vulnerability — Explained with Examples & Exploit Details
On March 12, 2024, Microsoft disclosed CVE-2024-21404, a critical Denial of Service (DoS) vulnerability affecting multiple versions of .NET. The flaw, if exploited, could allow attackers to render .NET-based applications unusable with specially crafted requests or data. In this article, we'll break down what CVE-2024-21404 is, show a concrete code example, explain potential exploit paths, and give you practical tips on how to safeguard your .NET applications.
What is CVE-2024-21404?
CVE-2024-21404 is a Denial of Service vulnerability found in .NET. Attackers can exploit this vulnerability by sending malicious inputs to your .NET application, causing it to crash or become unresponsive. This is especially damaging for web applications, APIs, and any internet-exposed .NET services.
How Does The Attack Work?
At a high-level, the flaw lies in how specific functions in .NET handle malformed or oversized data. By sending a large amount of such data, the application enters a state where it consumes excessive resources (CPU, memory), eventually hanging or crashing.
Let’s see a simple snippet that is vulnerable if not patched
using Microsoft.AspNetCore.Mvc;
using System.Text.Json;
[ApiController]
[Route("api/[controller]")]
public class ProcessController : ControllerBase
{
[HttpPost]
public IActionResult Receive([FromBody] object input)
{
// Vulnerable: Deserializing potentially huge or malformed JSON causes DoS
var json = JsonSerializer.Serialize(input);
// Perform some processing...
return Ok();
}
}
If the attacker sends a specially crafted JSON payload like this
[
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[... (repeat deeply) ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]
— it can exhaust stack or memory limits, leading to a crash.
You can simulate the attack using the following cURL command (replace the payload as needed)
curl -X POST http://yourapi/api/process \
-H "Content-Type: application/json" \
-d @giant_payload.json
Where giant_payload.json contains hundreds or thousands of nested arrays/objects.
Microsoft’s official advisory:
CVE-2024-21404 | .NET Denial of Service Vulnerability
- GitHub Advisory Database entry *(check for current entry)*
- Microsoft TechCommunity Security Blog
Exploit Details
Real-World Exploitation:
Researchers and cyber-criminals can exploit unpatched systems by sending deeply nested or huge payloads to .NET-based APIs. In ASP.NET Core, endpoints expecting JSON/XML are especially at risk. The application may freeze, leak internal errors, or reboot unexpectedly.
*Exploit Steps:*
1. Identify a vulnerable endpoint (use /api/process as in our example).
Craft and send a payload that triggers excessive resource usage.
3. Watch the .NET application start to consume high amounts of CPU/memory — eventually, the service stalls or crashes.
Network-level DoS
If the attacker scripts this request at volume (using bots), they can take down the whole web server or cloud service.
How to Fix and Protect Your App
Fix:
Check with
dotnet --version
Set restrictions on request body sizes and array nesting depths.
Harden Deserialization:
Use strict DTOs (Data Transfer Objects) with clear property types, avoiding the use of open types like object or dynamic.
public class ProcessRequest
{
public string Message { get; set; }
}
[HttpPost]
public IActionResult Receive([FromBody] ProcessRequest input) { ... }
Enable Request Throttling:
Use ASP.NET Core middleware like Rate Limiting.
Monitor and Log Issues:
Set up monitoring for high CPU/memory usage and unusual traffic patterns.
Summary
CVE-2024-21404 is a serious denial-of-service bug in .NET that can take your apps down with a simple HTTP request if left unpatched. Keep your frameworks up to date, validate all incoming data, limit request sizes, and stay alert for emerging threats.
Further Reading
- Official Microsoft .NET Security Updates
- OWASP Deserialization Cheatsheet
Timeline
Published on: 02/13/2024 18:15:59 UTC
Last modified on: 02/22/2024 18:23:55 UTC