- CVE-2025-55315 enables HTTP request smuggling in the ASP.NET Core Kestrel web server
- Attackers can bypass controls, access credentials, alter files, or crash the server.
- Microsoft released updates for affected versions of .NET and Visual Studio to mitigate the flaw
Microsoft has confirmed that it recently fixed the “highest ever” vulnerability affecting its ASP.NET Core product.
Described as an “HTTP request smuggling bug,” the vulnerability is tracked as CVE-2025-55315 and was assigned a severity score of 9.9/10 (critical).
It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests into the original request.
How to update
Smuggling can help attackers bypass different security controls; was explained.
“An attacker who successfully exploited this vulnerability could view sensitive information, such as other users’ credentials (Confidentiality), and make changes to the content of the file on the target server (Integrity), and could force a crash within the server (Availability),” Microsoft explained in its security advisory.
Depending on the versions you are running, there are different ways to protect your infrastructure against potential attacks.
Those running .NET 8 or later should install the .NET update from Microsoft Update, while those running .NET 2.3 should update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the application and redeploy it. Those running a stand-alone or single-file application must install the .NET update, rebuild it, and redeploy it.
Microsoft also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x applications.
On GitHub, .NET Security Technical Program Manager Barry Dorrans said the bug’s score “wouldn’t be that high,” but the scores are based on how the bug might affect applications built on top of ASP.NET, so it really comes down to each individual application:
“We don’t know what’s possible because it depends on how you’ve written your application,” he said. “Therefore, we score with the worst-case scenario in mind: a bypass of a security feature that changes its scope.”
Through The Registry
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
