Last week, Microsoft fixed an ASP.NET Core vulnerability that scored 9.9 out of 10 on the CVSS scale — the highest severity rating ever for this type of vulnerability.
The issue identified as CVE-2025-55315 was related to HTTP request smuggling and was discovered in the Kestrel ASP.NET Core web server. The bug allowed authenticated attackers to smuggle an additional HTTP request to intercept other users’ credentials or bypass security controls.
“An attacker who successfully exploited this vulnerability could view sensitive information (for example, other users’ credentials), modify the contents of files on the target server, and potentially cause the server to crash,” explained Microsoft.
To protect ASP.NET Core applications from potential attacks, Microsoft recommends that developers and users take the following actions.
- If you’re using .NET 8 or newer, install the .NET update via Microsoft Update, then restart the application or reboot the machine.
- If you’re using .NET 2.3, update the Microsoft.AspNet.Server.Kestrel.Core package reference to version 2.3.6, then rebuild the application and redeploy.
- If you’re using a self-contained/single-file application, install the .NET update, rebuild, and redeploy.
To address the vulnerability, Microsoft has released updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x applications.
As explains Barry Dorrans, Technical Program Manager for .NET Security, the impact of attacks leveraging CVE-2025-55315 depends on the specific ASP.NET application. Successful exploitation can allow attackers to sign in as another user (for privilege escalation), make an internal request (in SSRF-type attacks), bypass CSRF protections, and carry out malicious injections.
“We don’t know for sure what exactly could happen — it all depends on how a particular application is written. So we’re assessing the vulnerability by the worst-case scenario: a security bypass with a change of scope,” Dorrans writes. “How likely is that? Unlikely, unless your application code has some oddities and skips checks that should be performed on every request. In any case, please update.”