- CVE-2025-55315 allows HTTP request spoofing in ASP.NET Core’s Kestrel web server
- Attackers can bypass controls, gain access to credentials, modify files, or crash the server
- Microsoft released updates to affected .NET and Visual Studio versions to address the bug
Microsoft has confirmed that it has recently patched its “highest-ever” vulnerability plaguing its ASP.NET Core product.
Described as an “HTTP request smuggling flaw,” the vulnerability is tracked as CVE-2025-55315 and was given a severity score of 9.9/10 (Critical).
It affects the Kestrel ASP.NET Core web server and allows unauthorized attackers to “smuggle” secondary HTTP requests within the original request.
How to update
The contraband can help the attackers bypass various security controls; it was explained.
“An attacker who successfully exploited this vulnerability could view sensitive information such as other users’ credentials (Privacy) and make changes to file contents on the target server (Integrity), and could potentially force a server crash (Availability),” Microsoft explained in its security advisory.
Depending on which versions you are running, there are different ways to secure your infrastructure against potential attacks.
Those running .NET 8 or later should install the .NET update from Microsoft Update, while those running .NET 2.3 should update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the application and reinstall. Those running a standalone/single-file application should install the .NET update, recompile, and reinstall.
Microsoft has also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.
On GitHub, Barry Dorrans, security engineering program manager for .NET, said the bug’s score would be “nowhere near that high,” but the score is based on how the bug might affect applications built on top of ASP.NET, so it really comes down to each app:
“We don’t know what’s possible because it depends on how you’ve written your app,” he said. “Thus, we score with the worst case in mind, a security feature that bypasses that changes scope.”
Via The register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
