GHSA-r8m2-4x37-6592
HIGH.NET Denial of Service Vulnerability
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Microsoft.AspNetCore.App.Runtime.linux-arm.NETMicrosoft.AspNetCore.App.Runtime.linux-arm64.NETMicrosoft.AspNetCore.App.Runtime.linux-musl-arm64.NETMicrosoft.AspNetCore.App.Runtime.linux-musl-x64.NETMicrosoft.AspNetCore.App.Runtime.linux-x64.NETMicrosoft.AspNetCore.App.Runtime.osx-x64.NETMicrosoft.AspNetCore.App.Runtime.win-arm.NETMicrosoft.AspNetCore.App.Runtime.win-arm64+14 moreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.
Description
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.
<a name="affected-software"></a>Affected software
- Any .NET 6.0 application running on .NET 6.0.8 or earlier.
- Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET.
<a name="ASP.NET Core 3.1"></a>.NET Core 3.1
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 3.1.5, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 3.1.0, < 3.1.29 | 3.1.29 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 3.1.0, < 3.1.29 | 3.1.29 |
<a name=".NET 6"></a>.NET 6
| Package name | Affected version | Patched version |
|---|---|---|
| Microsoft.AspNetCore.App.Runtime.linux-arm | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.linux-arm64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm | >= 5.0.1, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.linux-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.osx-arm64 | >= 6.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.osx-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.win-arm | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.win-arm64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.win-x64 | >= 5.0.0, < 6.0.9 | 6.0.9 |
| Microsoft.AspNetCore.App.Runtime.win-x86 | >= 5.0.0, < 6.0.9 | 6.0.9 |
Other
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/234 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| .NETNuGet | Microsoft.AspNetCore.App.Runtime.linux-arm | ≥ 3.1.0&&< 3.1.29 | 3.1.29 |
| .NETNuGet | Microsoft.AspNetCore.App.Runtime.linux-arm64 | ≥ 3.1.0&&< 3.1.29 | 3.1.29 |
| .NETNuGet | Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 | ≥ 3.1.0&&< 3.1.29 | 3.1.29 |
| .NETNuGet | Microsoft.AspNetCore.App.Runtime.linux-musl-x64 | ≥ 3.1.0&&< 3.1.29 | 3.1.29 |
| .NETNuGet | Microsoft.AspNetCore.App.Runtime.linux-x64 | ≥ 3.1.0&&< 3.1.29 | 3.1.29 |
| .NETNuGet | Microsoft.AspNetCore.App.Runtime.osx-x64 | ≥ 3.1.0&&< 3.1.29 | 3.1.29 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Microsoft.AspNetCore.App.Runtime.linux-arm. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update Microsoft.AspNetCore.App.Runtime.linux-arm to 3.1.29 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-r8m2-4x37-6592 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-r8m2-4x37-6592 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-r8m2-4x37-6592. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-r8m2-4x37-6592 in your dependencies?
O3 detects GHSA-r8m2-4x37-6592 across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.