Microsoft Issues Out-of-Band Patch for Critical Security Flaw in Update to ASP.NET Core

ASP.NET Core remains a cornerstone for modern web applications, powering everything from e‑commerce sites to enterprise portals. The platform’s Data Protection library safeguards authentication cookies, anti‑forgery tokens, and other sensitive payloads, making any weakness a high‑value target. This is the second major flaw in six months, following the CVSS 9.9 Kestrel vulnerability, and it revives memories of the 2010 MS10‑070 emergency patch that forced a rapid industry response. Understanding the technical lineage of these bugs helps security teams anticipate attack vectors and prioritize patch cycles.

The root cause lies in the .NET 10.0.6 NuGet package, where the ManagedAuthenticatedEncryptor computes the HMAC validation tag using an incorrect offset. The miscalculation effectively disables integrity checks, allowing crafted payloads to be accepted as legitimate. Because the library is bundled into Docker images and can be referenced via netstandard2.0 or net462 assets, a wide range of deployments—Linux containers, macOS servers, and Windows hosts using custom cryptographic APIs—are exposed. Developers can spot the issue by monitoring logs for repeated "The payload was invalid" errors after the April 14 update or by inspecting project files for a 10.0.6 package reference.

Microsoft’s out‑of‑band 10.0.7 release addresses the bug, but remediation extends beyond a simple package upgrade. Affected teams must rebuild and redeploy applications, purge existing authentication cookies and tokens, and rotate new Data Protection keys. Organizations should also audit for anomalous login failures and consider implementing additional runtime integrity checks. The episode underscores the importance of rapid vulnerability disclosure, automated dependency scanning, and a disciplined patch management process to safeguard the extensive ASP.NET Core ecosystem.