Microsoft released guidance in June 2026 on weaknesses in ASP.NET Core request parsing when applications sit behind certain proxies or load balancers. The issue allows crafted requests to bypass middleware checks or reach unintended endpoints. Sites running current .NET on Windows Server with IIS require immediate configuration review.

The advisory focuses on header normalization and content-length handling rather than a single code path. Attackers can exploit mismatches between the frontend proxy and the ASP.NET Core pipeline. Production workloads using Kestrel directly or behind IIS require both server and application adjustments.

#Scope of Affected Deployments

Applications built on modern .NET and hosted via IIS or Kestrel with any reverse proxy layer are potentially exposed. Minimal impact occurs on single-server setups without additional proxies. Shared hosting environments must verify tenant isolation settings.

  • Check all sites using UseForwardedHeaders middleware.
  • Review proxy configuration for X-Forwarded-* header trust.
  • Confirm the application targets the current .NET runtime.

#Immediate Configuration Changes

Update the ForwardedHeadersOptions to restrict accepted headers to known proxy IPs only. Disable automatic header forwarding when the source cannot be validated.

csharp
services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    options.KnownProxies.Clear();
    options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("10.0.0.0"), 8));
});

#Runtime and Framework Updates

Apply the latest patches for the current .NET release through Windows Update or the .NET installer. Rebuild and redeploy applications after installing runtime updates to ensure the patched request parser is active.

  • Run dotnet --list-runtimes to confirm the installed version.
  • Restart IIS application pools after runtime installation.

#Verification Steps

Test each production site with crafted requests that previously triggered the issue. Monitor IIS and Kestrel logs for unexpected header values. Use automated scanning tools configured for the specific request patterns described in the advisory.

Review all custom middleware that inspects raw request headers. Replace any direct access to Request.Headers with the sanitized context provided by ASP.NET Core. Schedule a follow-up audit within 30 days to confirm continued compliance.