CVE-2022-26924
HIGH7.5EPSS 7.9%YARP Denial of Service Vulnerability
Description
### Impact A denial of service vulnerability exists in how YARP processes input. ### Patches If you're using YARP `1.0.0`, you should update to NuGet package version [`1.0.1`](https://www.nuget.org/packages/Yarp.ReverseProxy/1.0.1). If you're using YARP `1.1.0-RC.1`, you should update to NuGet package version [`1.1.0-rc.1.22211.2`](https://www.nuget.org/packages/Yarp.ReverseProxy/1.1.0-rc.1.22211.2). You can do so by updating the `PackageReference` in your `.csproj` file ```diff <ItemGroup> - <PackageReference Include="Yarp.ReverseProxy" Version="1.0.0" /> - <PackageReference Include="Yarp.Telemetry.Consumption" Version="1.0.0" /> + <PackageReference Include="Yarp.ReverseProxy" Version="1.0.1" /> + <PackageReference Include="Yarp.Telemetry.Consumption" Version="1.0.1" /> </ItemGroup> ``` or by selecting `1.0.1` in the NuGet UI inside Visual Studio (`Manage NuGet Packages` / `Updates`)  ### References [CVE-2022-26924](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26924)
Affected packages (1)
- NuGet/Yarp.ReverseProxyfrom 0, < 1.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-26924
- PATCHhttps://github.com/microsoft/reverse-proxy
- WEBhttps://github.com/microsoft/reverse-proxy/commit/11e6272da17beb03d0b44a19d3c4f1ffa52b7c38
- WEBhttps://github.com/microsoft/reverse-proxy/security/advisories/GHSA-8xc6-g8xw-h2c4
- WEBhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26924
- WEBhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26924