A March 2026 security advisory revealed a deserialization vulnerability in ASP.NET Core that can lead to remote code execution when untrusted data reaches certain model binders and formatters. Sites running .NET 9 or earlier on Windows Server with default IIS configurations are exposed if they accept JSON or XML payloads without strict type controls.

The issue stems from unsafe handling of polymorphic types during deserialization. Attackers who craft malicious payloads can instantiate arbitrary types, execute code, and potentially escalate to full server compromise. Immediate patching and configuration hardening are required for any production workload.

#Who Is Affected

Applications built on .NET 8 and .NET 9 are the primary targets. Sites using System.Text.Json or Newtonsoft.Json with default settings and no explicit type restrictions are vulnerable. Self-hosted and IIS-hosted deployments both require attention.

  • Update all projects to .NET 10 or the latest .NET 9 servicing release
  • Audit every controller and minimal API endpoint that accepts complex types
  • Disable polymorphic deserialization where not explicitly required

#Mitigation Steps

Apply the latest patches first. Then enforce strict deserialization rules in both System.Text.Json and any Newtonsoft.Json usage.

csharp 
var options = new JsonSerializerOptions
{
    TypeInfoResolver = JsonTypeInfoResolver.Combine(
        new DefaultJsonTypeInfoResolver()
        {
            Modifiers = { (ti) => { if (ti.PolymorphismOptions != null) ti.PolymorphismOptions.IgnoreUnrecognizedTypeDiscriminators = true; } }
        }
    )
};

#Additional Hardening

Enable request size limits and content-type validation in IIS. Combine these with application-level checks to reject unexpected payloads early.

  • Set maxRequestEntityAllowed and maxAllowedContentLength in web.config
  • Use [JsonDerivedType] attributes only for known safe types
  • Run OWASP ZAP or similar scanners against staging environments after changes

Apply these controls, test thoroughly, and monitor logs for deserialization errors. Keeping all .NET workloads on the current LTS release remains the most effective long-term defense.