New to Telerik UI for ASP.NET AJAX? Start a free 30-day trial

Unsafe Reflection Vulnerability (3600)

Description

Product Alert – May 2025 - CVE-2025-3600

• Progress® Telerik® UI for AJAX 2025 Q1 (2025.1.218) or earlier.

What Are the Impacts

In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an attacker can send a specially crafted request that triggers an unsafe reflection vulnerability. This causes an unhandled exception resulting in a crash of the hosting process, leading to denial of service while the application is restarting.

Issue

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Solution

We have addressed the issue and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.

Follow the update instructions for precise instructions. All customers who have a license for UI for AJAX can access the downloads here Product Downloads | Your Account.

Our only official recommendation is to upgrade to the patched release. If you cannot upgrade immediately, visit the Mitigation section for temporary workaround options.

Verification

To determine if your application is affected by this vulnerability, take the following steps.

1. Check your project references for Telerik.Web.UI.dll
   • If the assembly reference exists, continue to step 2.
   • If it does not, the project is not vulnerable.
2. Check the assembly version in Visual Studio by right-clicking the Telerik.Web.UI reference, select "Properties", and look at the value for Version (to check outside of Visual Studio, use this guide).
   • If the version is from 2011.2.712 to 2025.1.218 (inclusive), continue to step 3.
   • If it's outside of this range, the application is not vulnerable.
3. Inspect the web.config to see if either of these two handlers are registered
   xml

   <!-- web.config -->
   <system.web>
     <httpHandlers>
       <add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" 
             verb="*" validate="false" />
     </httpHandlers>
   </system.web>
   
   <system.webServer>
     <handlers>
       <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" 
             type="Telerik.Web.UI.WebResource" verb="*" preCondition="integratedMode" />
     </handlers>
   </system.webServer>

4. If present, then your application is vulnerable to CVE-2025-3600. Please upgrade to 2025.1.416 or if not possible, choose a mitigation option.

Mitigation

If you are unable to upgrade to a product version which contains the fix (v2025.1.416 [2025 Q1 SP2] or later), you can mitigate the issue using one of three approaches.

Carefully read the specifics of each workaround to make a decision on which is best for your situation. Option 1 is only valid for customers using 2024 Q2 or later. Option 2 and option 3 will work for all affected versions.

Option 1. Assembly Binding Redirect

If your application uses 2024.2 or later, but you do not have the ability to upgrade the project (e.g., no source access, tooling constraints), you can use an assembly bindingRedirect in the web.config to instruct the application to load the fixed verison's dlls (2025.1.416).

1. In the application's binaries folder, replace all the Telerik UI for ASP.NET AJAX dll files with the versions from 2025.1.416 (or later). Telerik.Web.UI.dll and Telerik.Web.UI.Skins, etc.
2. Edit the project's web.config file and add binding redirects for each assembly that was replaced.
   xml

   <runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
         <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" culture="neutral" />
         <bindingRedirect oldVersion="0.0.0.0-2025.1.416.462" newVersion="2025.1.416.462" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Telerik.Web.UI.Skins" publicKeyToken="121fae78165ba3d4" culture="neutral" />
         <bindingRedirect oldVersion="0.0.0.0-2025.1.416.462" newVersion="2025.1.416.462" />
       </dependentAssembly>
   
       <!-- Add a redirect for every additional Telerik assembly you may be using -->
     </assemblyBinding>
   </runtime>

Considerations

• This is our recommended workaround option, as it uses the same patched assemblies as if you upgraded the project directly.
• As mentioned, we can only guarantee this approach to work for versions after 2024.2. However, you might be able to use this approach with older versions given these two conditions.
  • Your project's target framework is set to .NET Framework v4.6.2 or later.
  • You have no use of code that is subject to breaking changes, see Changes and Backwards Compatibility.
• For more information about this technique, see Microsoft's Binding Redirect documentation.

Option 2. HTTP Request Filtering Module

This approach inspects the HTTP request and looks for a match in the querystring. If the query matches the affected endpoint, an HTTP 403 code is returned.

1. Create a class for the Module in the web application (for web site project type, put the .cs file in the in the App_Code directory)

   CSVB

   CS

   using System.Globalization;
   using System.Web;
   
   namespace MyApp.Modules
   {
       public class RequestFilteringModule : IHttpModule
       {
           public void Init(HttpApplication context)
           {
               context.BeginRequest += (sender, args) =>
               {
                   if (context.Request.Path.ToLower(CultureInfo.InvariantCulture).Contains("telerik.web.ui.webresource.axd") &&
                       (context.Request["type"] != null && context.Request["type"].ToLower(CultureInfo.InvariantCulture) == "iec") &&
                       context.Request["prtype"] != null)
                   {
                       context.Response.StatusCode = 403;
                       context.CompleteRequest();
                   }
               };
           }
           public void Dispose()
           {
           }
       }
   }

   VB

   Imports System.Globalization
   Imports System.Web
   
   Namespace MyApp.Modules
       Public Class RequestFilteringModule
           Implements IHttpModule
   
           Public Sub Init(context As HttpApplication) Implements IHttpModule.Init
               AddHandler context.BeginRequest, Sub(sender As Object, e As EventArgs)
                                                   Dim requestPath As String = context.Request.Path.ToLower(CultureInfo.InvariantCulture)
                                                   Dim typeParam As String = context.Request("type")
                                                   Dim prtypeParam As String = context.Request("prtype")
   
                                                   If requestPath.Contains("telerik.web.ui.webresource.axd") AndAlso
                                                       (typeParam IsNot Nothing AndAlso typeParam.ToLower(CultureInfo.InvariantCulture) = "iec") AndAlso
                                                       prtypeParam IsNot Nothing Then
   
                                                       context.Response.StatusCode = 403
                                                       context.CompleteRequest()
                                                   End If
                                               End Sub
           End Sub
   
           Public Sub Dispose() Implements IHttpModule.Dispose
               ' No resources to dispose
           End Sub
       End Class
   End Namespace

2. Register the module within the <system.webServer> -> <modules> section in the web.config, using the class's namespace and class name.

   xml

   <system.webServer>
     <modules>
       <add name="MyRequestFilteringModule" type="MyApp.Modules.RequestFilteringModule"  />
     </modules>
   </system.webServer>

Considerations

If you do not have access to the source code, you can still use this option by compiling this code to a separate assembly. Then, place the assembly into the application's binaries folder. IIS will use the web.config's modules section to locate the type.

Option 3. Url Rewrite

This approach inspects the incoming request and blocks traffic to the affected endpoints to provide some level of protection, use this only if you cannot use any of the prior options. Take the following steps:

1. Open the application's web.config file.
2. Add the following <rewrite> section within the <system.webServer> parent.
   xml

   <rewrite>
       <rules>
           <rule name="Allow RadAsyncUpload and RadCloudUpload Post Requests" stopProcessing="true">
               <match url="Telerik.Web.UI.WebResource.axd" />
               <conditions logicalGrouping="MatchAll">
                   <add input="{UrlDecode:{QUERY_STRING}}" pattern="^type=(rau|rcu)$" ignoreCase="true" />
                   <add input="{REQUEST_METHOD}" pattern="^POST$"  ignoreCase="true" />
               </conditions>
               <action type="None" />
           </rule>
   
           <rule name="Block all GET requests containing Content-Type" stopProcessing="true">
               <match url="Telerik.Web.UI.WebResource.axd" ignoreCase="true" />
               <conditions logicalGrouping="MatchAll">
                   <add input="{REQUEST_METHOD}" pattern="^GET$" ignoreCase="true" />
                   <add input="{HTTP_CONTENT_TYPE}" pattern=".+" ignoreCase="true" />
               </conditions>
               <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Request blocked" />
           </rule>
   
           <rule name="Block PRType and Encoded Attacks" stopProcessing="true">
               <match url="Telerik.Web.UI.WebResource.axd" ignoreCase="true" />
               <conditions logicalGrouping="MatchAny">
                   <add input="{UrlDecode:{QUERY_STRING}}" pattern="prtype=" ignoreCase="true" />
                   <add input="{UrlDecode:{HTTP_COOKIE}}" pattern="prtype=" ignoreCase="true" />
                   <add input="{REQUEST_METHOD}" pattern="^GET$" negate="true" ignoreCase="true" />
               </conditions>
               <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Request blocked" />
           </rule>
       </rules>
   </rewrite>

3. Save the changes.

Considerations

• Before you can use this approach, make sure you have the Url Rewrite module installed to IIS before updating your web.config. If this is not present, the application will not start.
• We have validated this approach with IIS. It is not guaranteed to work for other web servers.
• Modifications to web.config should trigger an IIS restart. However, it may not restart immediately if there are active user sessions. We strongly recommend immediately restarting the application manually after making this modification.

Notes

• If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.
• We would like to thank Piotr Bazydlo (@chudyPB) of watchTowr for responsibly disclosing this vulnerability and assisting in its resolution.

External References

CVE-2025-3600 (HIGH)

CVSS: 7.5

In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service.

Discoverer Credit: Piotr Bazydlo (@chudyPB) of watchTowr