Skip to content

YARP Denial of Service Vulnerability

High severity GitHub Reviewed Published Apr 12, 2022 in microsoft/reverse-proxy • Updated Jan 27, 2023

Package

nuget Yarp.ReverseProxy (NuGet)

Affected versions

< 1.0.1
= 1.1.0-rc.1.22152.1

Patched versions

1.0.1
1.1.0-rc.1.22211.2

Description

Impact

A denial of service vulnerability exists in how YARP processes input.

Patches

If you're using YARP 1.0.0, you should update to NuGet package version 1.0.1.
If you're using YARP 1.1.0-RC.1, you should update to NuGet package version 1.1.0-rc.1.22211.2.

You can do so by updating the PackageReference in your .csproj file

<ItemGroup>
- <PackageReference Include="Yarp.ReverseProxy" Version="1.0.0" />
- <PackageReference Include="Yarp.Telemetry.Consumption" Version="1.0.0" />
+ <PackageReference Include="Yarp.ReverseProxy" Version="1.0.1" />
+ <PackageReference Include="Yarp.Telemetry.Consumption" Version="1.0.1" />
</ItemGroup>

or by selecting 1.0.1 in the NuGet UI inside Visual Studio (Manage NuGet Packages / Updates)
image

References

CVE-2022-26924

References

@MihaZupan MihaZupan published to microsoft/reverse-proxy Apr 12, 2022
Published by the National Vulnerability Database Apr 15, 2022
Published to the GitHub Advisory Database Apr 22, 2022
Reviewed Apr 22, 2022
Last updated Jan 27, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

No CWEs

CVE ID

CVE-2022-26924

GHSA ID

GHSA-8xc6-g8xw-h2c4

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.