CVE-2023-32571
Published: 22 June 2023
Summary
CVE-2023-32571 is a critical-severity Incorrect Comparison (CWE-697) vulnerability in Dynamic-Linq Linq. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-32571 is a remote code execution vulnerability affecting Dynamic LINQ (System.Linq.Dynamic.Core) versions 1.0.7.10 through 1.2.25 prior to 1.3.0. The flaw arises when untrusted input is supplied to methods such as Where, Select, and OrderBy, which are then parsed without sufficient validation, enabling arbitrary code and command execution. The issue carries a CVSS 3.1 base score of 9.8.
An attacker with network access can supply crafted expressions to these methods in any application that accepts dynamic LINQ queries from external sources. Successful exploitation grants full confidentiality, integrity, and availability impact without requiring authentication or user interaction.
The project repository and NCC Group advisory both point to upgrading to version 1.3.0 or later as the primary remediation, which addresses the unsafe parsing behavior.
The associated EPSS score has reached a peak of 0.8049 with a current value of 0.7691, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1897
Vulnerability details
Dynamic Linq 1.0.7.10 through 1.2.25 before 1.3.0 allows attackers to execute arbitrary code and commands when untrusted input to methods including Where, Select, OrderBy is parsed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.