CVE-2020-7791: Denial of Service in i18n
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.80126%
CWE
Published
12/14/2020
Updated
1/29/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
i18n | nuget | < 2.1.15 | 2.1.15 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key flaws:
- In TextLocalizer.cs, IsLanguageValid() didn't check for null/empty langtags before validation, allowing invalid input to reach core logic (CWE-20). This is confirmed by the patch adding a 'langtag.IsSet()' guard clause.
- In LocalizedApplication.cs, the DefaultLanguage setter assigned LanguageTag.GetCachedInstance() results without null-checking, potentially propagating null references (CWE-400). The patch adds a null-check before assignment. Both issues lead to unhandled exceptions that terminate the process, matching the described DoS impact. The commit diff and vulnerability description directly implicate these functions.