Optimizely CMS platform bug in ErrorsController (EPiServer.CMS.Core 12.22.9 fix)

Posted on Sunday, November 9, 2025

While checking Application Insights earlier this year, I stumbled upon a strange exception in my Optimizely site. At first, I thought it might be a misconfigured redirect or some leftover test code — but after digging in, it turned out to be an actual platform bug, one I ended up reporting to Optimizely.

It’s a subtle one. If you’re using the custom error pages provided out of the box, you could be impacted — unless you’re already running the latest version.

The Symptom

My site doesn’t generate a lot of exceptions, so this one stood out right away. A few errors were being thrown, all with the same root cause, and all triggered by bots, not real users.

Here’s what showed up in Application Insights:

System.UriFormatException:
   at System.Uri.CreateThis (System.Private.Uri undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=b03f5f7f11d50a3a undefined)
   at System.Uri..ctor (System.Private.Uri undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=b03f5f7f11d50a3a undefined)
   at System.UriBuilder..ctor (System.Private.Uri undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=b03f5f7f11d50a3a undefined)
   at EPiServer.UrlBuilder.Init (EPiServer undefined, Version=12.22.6.0 undefined, Culture=neutral undefined, PublicKeyToken=8fe83dea738b45b7 undefined)
   at EPiServer.Core.Routing.Pipeline.Internal.SimpleAddressResolverPipelineStep.ResolveSimpleAddress (EPiServer undefined, Version=12.22.6.0 undefined, Culture=neutral undefined, PublicKeyToken=8fe83dea738b45b7 undefined)
   at EPiServer.Core.Routing.Pipeline.Internal.SimpleAddressResolverPipelineStep.Resolve (EPiServer undefined, Version=12.22.6.0 undefined, Culture=neutral undefined, PublicKeyToken=8fe83dea738b45b7 undefined)
   at EPiServer.Core.Routing.Internal.DefaultContentUrlResolver.Resolve (EPiServer undefined, Version=12.22.6.0 undefined, Culture=neutral undefined, PublicKeyToken=8fe83dea738b45b7 undefined)
   at EPiServer.Cms.Shell.UI.Controllers.Internal.ErrorsController.ResolveUICulture (EPiServer.Cms.Shell.UI undefined, Version=12.32.5.0 undefined, Culture=neutral undefined, PublicKeyToken=8fe83dea738b45b7 undefined)
   at EPiServer.Cms.Shell.UI.Controllers.Internal.ErrorsController.Error500 (EPiServer.Cms.Shell.UI undefined, Version=12.32.5.0 undefined, Culture=neutral undefined, PublicKeyToken=8fe83dea738b45b7 undefined)
   at lambda_method58068 .lambda_method58068 (Anonymously Hosted, Version=0.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=null undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor+SyncActionResultExecutor.Execute (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker+<<InvokeActionMethodAsync>g__Logged|12_1>d.MoveNext (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker+<<InvokeNextActionFilterAsync>g__Awaited|10_0>d.MoveNext (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker+<<InvokeNextResourceFilter>g__Awaited|25_0>d.MoveNext (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker+<<InvokeAsync>g__Logged|17_1>d.MoveNext (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker+<<InvokeAsync>g__Logged|17_1>d.MoveNext (Microsoft.AspNetCore.Mvc.Core undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Stott.Optimizely.RobotsHandler.Environments.RobotsHeaderMiddleware+<Invoke>d__2.MoveNext (Stott.Optimizely.RobotsHandler undefined, Version=4.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=null undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware+<Invoke>d__11.MoveNext (Microsoft.AspNetCore.Authorization.Policy undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+<Invoke>d__6.MoveNext (Microsoft.AspNetCore.Authentication undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Geta.NotFoundHandler.Infrastructure.Initialization.NotFoundHandlerMiddleware+<InvokeAsync>d__2.MoveNext (Geta.NotFoundHandler undefined, Version=5.0.13.0 undefined, Culture=neutral undefined, PublicKeyToken=null undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at EPiServer.Cms.Shell.UI.Internal.RegisterAdminUserMiddleware+<InvokeAsync>d__5.MoveNext (EPiServer.Cms.Shell.UI undefined, Version=12.32.5.0 undefined, Culture=neutral undefined, PublicKeyToken=8fe83dea738b45b7 undefined)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=7cec85d7bea7798e undefined)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl+<HandleException>d__11.MoveNext (Microsoft.AspNetCore.Diagnostics undefined, Version=8.0.0.0 undefined, Culture=neutral undefined, PublicKeyToken=adb9793829ddae60 undefined)
 

The Root Cause

After a bit of debugging, I found that certain requests contained invalid characters in the URL, which caused Optimizely’s ErrorsController to fail while trying to build a Uri.

Here’s an example of a request that triggered the issue:

https://www.davidhome.net/h%20ttps:%20oast.me

That tiny bit of malformed input was enough to cause a System.UriFormatException deep inside the platform. Essentially, the controller attempts to construct a Uri from the incoming request — but when the value isn’t valid, everything breaks.

The Fix

The issue has already been fixed in EPiServer.CMS.Core 12.22.9.
If you’re on an earlier version and you’re seeing similar exceptions, simply update your package and you’ll be good to go.

Final Thoughts

This isn’t something an end user would normally trigger, but it’s still worth cleaning up to keep your telemetry free of noise and your logs easy to trust.

Small bugs like this remind me why it’s always worth checking Application Insights from time to time — even when you think nothing’s happening behind the scenes.

Happy programming 👋

Optimizely
C# Bug ASP.NET