ASP.NET Core is a high-performance framework for .NET apps across Windows, macOS, Linux, and Docker, with DataProtection as a core component.

A security flaw in Microsoft.AspNetCore.DataProtection NuGet versions 10.0.0 through 10.0.6 allowed forgery of authentication payloads during HMAC validation due to faulty signature verification, potentially enabling decryption of payloads and token forgery.

Microsoft notes that exploitation could enable attackers to decrypt payloads and, if used for authentication, to obtain legitimately signed tokens, though it does not directly impact system availability.

Microsoft released a fix in ASP.NET Core 10.0.7 to address a regression in the DataProtection library that caused incorrect HMAC computation and potential forgery of authenticated payloads.

A patch is available in ASP.NET Core 10.0.7; users should update to mitigate the risk.

The article includes promotional or external links and mentions an Autonomous Validation Summit, which are ancillary to the security update.

Context includes related updates, such as an October patch for an HTTP request smuggling bug in Kestrel (CVE-2025-55315) and recent out-of-band Windows Server security updates in April 2026.

An anonymous researcher disclosed the vulnerability, prompting urgent out-of-band updates to reduce exposure.

Recommended remediation includes rebuilding affected applications, expiring and rotating cookies and tokens, and applying the 10.0.7 Data Protection tokens.

Microsoft says exploitation in the wild is currently unlikely but urges patching to mitigate potential attacks.

Exploitation requires three conditions: using 10.0.6 (directly or via dependencies), the NuGet library loaded at runtime, and running on non-Windows OSes like Linux or macOS.

Upgrading to 10.0.7 or later requires rotating the DataProtection key ring to invalidate previously issued tokens and prevent forgery post-upgrade.