Microsoft has disclosed a severe safety flaw in ASP.NET Core that permits authenticated attackers to smuggle HTTP requests and evade important protections.
Tracked as CVE-2025-55315, the vulnerability stems from inconsistent dealing with of HTTP requests, a traditional concern referred to as HTTP request/response smuggling.
Launched on October 14, 2025, this flaw impacts builders counting on the favored internet framework for constructing safe purposes.
With a CVSS v3.1 base rating of 9.9 rated as “Crucial” in affect the bug poses dangers to confidentiality, integrity, and even restricted availability of affected methods.
The vulnerability exploits a weak point labeled beneath CWE-444, the place servers misread HTTP requests, permitting attackers to inject malicious payloads.
A licensed person with low privileges can ship a crafted request over the community, bypassing front-end safety controls like internet software firewalls.
This might allow them to hijack different customers’ periods, steal delicate credentials, or alter server information with out detection. Microsoft’s evaluation highlights that profitable exploitation results in excessive confidentiality and integrity losses (C:H, I:H), with low availability affect (A:L), probably inflicting server crashes.
The scope modifications (S:C) imply the assault ripples past the susceptible element, affecting unrelated sources beneath totally different safety authorities.
Exploitation Dangers In Actual-World Eventualities
Attackers want solely low privileges and no person interplay, making this a low-complexity risk accessible by way of the community (AV:N, AC:L, PR:L, UI:N).
Whereas no public exploits exist but Microsoft deems exploitation “much less seemingly” the unproven maturity (E:U) doesn’t diminish the urgency.
Think about a company intranet the place an insider crafts a smuggling request to impersonate an admin, accessing payroll knowledge or injecting malware Or in e-commerce websites, the place smuggled requests may siphon buyer data throughout peak visitors.
The bug hits ASP.NET Core in .NET 8 and later variations, in addition to older .NET 2.3 setups utilizing the Kestrel server. Microsoft confirms no proof of lively exploitation, however the confirmed confidence (RC:C) and official repair (RL:O) underscore rapid motion.
Builders on .NET 8+ ought to apply the newest Microsoft Replace and restart purposes. For .NET 2.3, replace the Microsoft.AspNetCore.Server.Kestrel.Core package deal to model 2.3.6, recompile, and redeploy.
Self-contained apps require recompilation post-update. Broader remediation entails auditing HTTP parsing in customized middleware and enabling strict request validation.
This flaw revives issues over HTTP smuggling, a tactic seen in previous assaults on cloud companies. As distant work expands assault surfaces, organizations should prioritize patching.
Microsoft urges scanning for susceptible deployments and monitoring logs for anomalous requests. With the framework powering hundreds of thousands of internet apps, unpatched methods threat knowledge breaches or compliance violations.
Safety groups ought to combine this into vulnerability administration workflows, particularly given the framework’s position in enterprise stacks.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
