Microsoft’s October Patch Tuesday updates addressed a critical-severity vulnerability within the ASP.NET Core open supply net improvement framework.
Tracked as CVE-2025-55315, the flaw has a CVSS rating of 9.9, which .NET safety program supervisor Barry Dorrans says was the “highest ever”.
The difficulty is described as an HTTP request smuggling bug that may very well be used to bypass a safety characteristic over the community. It was found in Kestrel, ASP.NET Core’s built-in net server.
Primarily, the safety defect permits attackers to set off numerous utility behaviors by hiding an HTTP request in one other request.
“An attacker who efficiently exploited this vulnerability might smuggle one other HTTP request and bypass front-end safety controls or hijack different customers’ credentials,” Microsoft explains.
The tech big says the vulnerability may be exploited to leak delicate data corresponding to person credentials, tamper with file contents, or trigger a denial-of-service (DoS) situation by forcing a crash inside the server.
“On this case, the weak part and the impacted part are completely different and managed by completely different safety authorities,” Microsoft notes.
In keeping with Dorrans, whereas the difficulty was recognized in ASP.NET Core, its precise influence differs based mostly on how the purposes have been constructed.Commercial. Scroll to proceed studying.
Attackers, Dorrans explains, can exploit the flaw to log in as one other person, make inner requests, bypass CSRF checks, and carry out injection assaults.
Software program that performs actions involving requests might show problematic, purposes that solely append to logs and don’t deal with authentication could miss log entries, whereas these performing authentication based mostly on particular guidelines could also be focused for elevation of privilege.
“Thus, we rating with the worst attainable case in thoughts, a safety characteristic bypass which adjustments scope. Is that possible? No, most likely not except your utility code is doing one thing odd and skips a bunch of checks that it should be making on each request,” Dorrans says.
Microsoft addressed the vulnerability with updates for Microsoft Visible Studio 2022 variations 17.14, 17.12, and 17.10, and for ASP.NET Core variations 2.3, 8.0, 9.0, and 10.0 RC1. It additionally launched Microsoft.AspNetCore.Server.Kestrel.Core model 2.3.6 with fixes for the bug.
Associated: Gladinet Patches Exploited CentreStack Vulnerability
Associated: Vulnerabilities Permit Disruption of Phoenix Contact UPS Gadgets
Associated: Pixnapping Assault Steals Knowledge From Google, Samsung Android Telephones
Associated: Malicious Code on Unity Web site Skims Data From A whole bunch of Clients
