- CVE-2025-55315 allows smuggling of HTTP requests in ASP.NET Core’s Kestrel web server
- Attackers can bypass controls, access credentials, modify files, or crash the server.
- Microsoft has released updates for affected .NET and Visual Studio versions to mitigate the flaw.
Microsoft has confirmed that it recently patched its “highest ever” vulnerability affecting its ASP.NET Core product.
Described as an “HTTP request smuggling bug,” the vulnerability is tracked as CVE-2025-55315 and received a severity score of 9.9/10 (critical).
It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests into the original request.
How to update
The smuggled one can help attackers bypass various security controls; this has been explained.
“An attacker who successfully exploited this vulnerability could view sensitive information such as other users’ credentials (confidentiality) and make changes to the contents of files on the target server (integrity), and could cause a crash within the server (availability),” Microsoft explained in its security advisory.
Depending on the versions you use, there are different ways to secure your infrastructure against potential attacks.
Those running .NET 8 or later must install the .NET update from Microsoft Update, while those running .NET 2.3 must update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the application and redeploy it. Those running a standalone/single file application should install the .NET update, recompile and redeploy.
Microsoft also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x applications.
On GitHub, .NET Security Technical Program Manager Barry Dorrans said the bug’s score would be “nowhere near as high,” but the scores are based on how the bug might affect applications built on ASP.NET, so it really depends on each individual application:
“We don’t know what’s possible because it depends on how you wrote your application,” he said. “So, we get our score by keeping in mind the worst possible case, a bypass of a security feature that changes the scope. »
Via The register
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
