- CVE-2025-55315 enables HTTP request smuggling in ASP.NET Core’s Kestrel web server
- Attackers can bypass controls, access credentials, alter files, or crash the server
- Microsoft released updates for affected .NET and Visual Studio versions to mitigate the flaw
Microsoft has confirmed it recently fixed its “highest ever” vulnerability plaguing its ASP.NET Core product.
Described as an “HTTP request smuggling bug”, the vulnerability is tracked as CVE-2025-55315, and was given a severity score of 9.9/10 (critical).
It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests within the original request.
How to update
The smuggled one can help the attackers bypass different security controls; it was explained.
“An attacker who successfully exploited this vulnerability could view sensitive information such as other user’s credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability),” Microsoft explained in its security advisory.
Depending on which versions you are running, there are different ways to secure your infrastructure from potential attacks.
Those running .NET 8 or later should install the .NET update from Microsoft Update, while those running .NET 2.3 should update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the application, and redeploy. Those running a self-contained/single-file application should install the .NET update, recompile, and redeploy.
Microsoft has also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.
On GitHub, .NET security technical program manager Barry Dorrans said that the bug’s score would be “nowhere near that high”, but scores are based on how the bug might affect applications built on top of ASP.NET, so it really comes down to each individual app:
“We don’t know what’s possible because it’s dependent on how you’ve written your app,” he said. “Thus, we score with the worst possible case in mind, a security feature bypass which changes scope.”
Via The Register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
