CVE-2025-26682 Overview
CVE-2025-26682 is a resource exhaustion vulnerability in ASP.NET Core that enables unauthorized attackers to cause a denial of service condition over the network. The vulnerability stems from the allocation of resources without proper limits or throttling (CWE-770), allowing remote attackers to consume excessive server resources and disrupt service availability for legitimate users.
Critical Impact
Unauthenticated remote attackers can exploit this vulnerability to exhaust server resources and cause complete denial of service to ASP.NET Core applications without requiring any user interaction or special privileges.
Affected Products
- Microsoft ASP.NET Core
- Microsoft Visual Studio 2022
Discovery Timeline
- April 8, 2025 - CVE-2025-26682 published to NVD
- July 9, 2025 - Last updated in NVD database
Technical Details for CVE-2025-26682
Vulnerability Analysis
This vulnerability exists due to improper resource allocation controls within ASP.NET Core's request handling mechanisms. When processing certain types of requests, the framework fails to implement adequate limits or throttling on resource consumption. This architectural weakness allows an attacker to craft requests that trigger unbounded resource allocation, eventually exhausting available server memory, CPU, or connection pools.
The attack can be executed remotely over the network without requiring authentication, making it particularly dangerous for internet-facing ASP.NET Core applications. The vulnerability impacts availability exclusively—no data confidentiality or integrity is compromised during exploitation.
Root Cause
The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The ASP.NET Core framework in affected versions lacks proper safeguards to prevent excessive resource consumption during request processing. Without these protective boundaries, malicious actors can trigger scenarios where the application allocates memory or processing resources without adequate constraints, leading to resource exhaustion.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can send specially crafted HTTP requests to a vulnerable ASP.NET Core application that trigger the resource allocation flaw. Due to the missing throttling mechanisms, each malicious request consumes disproportionate resources, and sustained attack traffic can rapidly deplete server resources.
The attack characteristics include:
- Network accessibility: Exploitable from any network location that can reach the target application
- No privileges required: Unauthenticated attackers can trigger the vulnerability
- No user interaction: The attack does not require any action from legitimate users
- High availability impact: Successful exploitation results in complete service disruption
Detection Methods for CVE-2025-26682
Indicators of Compromise
- Abnormal spikes in memory consumption on servers hosting ASP.NET Core applications
- Unexplained CPU utilization increases correlating with incoming HTTP requests
- Application pool recycles or restarts occurring more frequently than normal
- IIS worker process (w3wp.exe) consuming excessive resources
- Connection pool exhaustion errors in application logs
Detection Strategies
- Monitor ASP.NET Core application performance counters for unusual resource consumption patterns
- Implement network-level monitoring for anomalous request volumes or patterns targeting your applications
- Configure alerts for memory and CPU threshold violations on web servers
- Review IIS and Kestrel logs for high volumes of requests from single sources or unusual request characteristics
Monitoring Recommendations
- Enable Application Insights or equivalent APM solutions to track resource utilization trends
- Configure real-time alerting for resource exhaustion conditions in your monitoring platform
- Implement rate limiting at the load balancer or WAF level to mitigate volumetric attacks
- Establish baseline metrics for normal application resource consumption to identify anomalies
How to Mitigate CVE-2025-26682
Immediate Actions Required
- Apply the latest security updates from Microsoft for ASP.NET Core immediately
- Update Visual Studio 2022 to the latest patched version
- Implement rate limiting and request throttling at the application or infrastructure level
- Consider enabling connection limits and request timeout configurations as temporary protective measures
- Monitor affected applications closely for signs of exploitation attempts
Patch Information
Microsoft has released security patches to address this vulnerability. Detailed patch information and download links are available in the Microsoft Security Response Center Advisory. Organizations should update their ASP.NET Core runtime and SDK to the latest patched versions as soon as possible.
For Visual Studio 2022 users, update through the Visual Studio Installer to ensure all bundled .NET components receive the security fix.
Workarounds
- Implement application-level rate limiting using middleware such as AspNetCoreRateLimit
- Configure maximum concurrent connections and request body size limits in Kestrel server options
- Deploy a Web Application Firewall (WAF) with DoS protection capabilities in front of vulnerable applications
- Use Azure Application Gateway or similar services with built-in DDoS protection for cloud-hosted applications
# Example Kestrel configuration limits in Program.cs or appsettings.json
# Add request body size limits and connection limits
# Configure in appsettings.json:
# {
# "Kestrel": {
# "Limits": {
# "MaxConcurrentConnections": 100,
# "MaxConcurrentUpgradedConnections": 100,
# "MaxRequestBodySize": 30000000,
# "MinRequestBodyDataRate": {
# "BytesPerSecond": 100,
# "GracePeriod": "00:00:10"
# }
# }
# }
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
