December 10, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
How MSSPs Can Strengthen Security Posture with Threat Hunting Services
November 14, 2025Severe RCE Bugs Hit Leading AI Engines
November 17, 2025How MSSPs Can Strengthen Security Posture with Threat Hunting Services
November 14, 2025Severe RCE Bugs Hit Leading AI Engines
November 17, 2025
Severity
High
Analysis Summary
Microsoft has released a critical security advisory addressing a high-severity vulnerability in ASP.NET Core, identified as CVE-2025-55315, with a CVSS score of high. This vulnerability affects ASP.NET Core versions 10.0, 9.0, 8.0, and the Kestrel package for 2.x. It allows an authorized attacker to bypass security features due to inconsistent parsing of HTTP requests and responses, commonly referred to as HTTP request smuggling. Microsoft has noted there are no mitigating factors for this scenario and strongly urges developers to patch to the fixed versions immediately.
The vulnerability arises from differences in how servers and proxies parse HTTP requests, particularly using headers like Content-Length or Transfer-Encoding to hide one request inside another. Exploiting this flaw could allow attackers to manipulate request processing, potentially leading to privilege escalation, request manipulation, server-side request forgery (SSRF), cross-site request forgery (CSRF) bypass, and injection attacks. Microsoft emphasizes that the severity score reflects the potential impact on applications built on ASP.NET, rather than the framework itself.
Experts explain that even applications not explicitly acting as proxies may be vulnerable if they handle request bodies or perform “proxy-like” processing. Hayden Barnes also released a console application for developers to test HTTP chunked transfer and newline parsing behavior, helping confirm whether specific .NET builds are affected. Misunderstandings initially arose among developers regarding .NET 6 and earlier releases since Microsoft does not issue CVEs for end-of-life software.
To mitigate the vulnerability, developers must update to the patched ASP.NET Core runtime/SDK versions for 8, 9, or 10, or update the Microsoft.AspNetCore.Server.Kestrel.Core package to version 2.3.6 or later. Third-party vendors have also released fixes for unsupported .NET 6 versions. Microsoft advises reviewing proxy configurations to ensure they normalize requests and detect smuggling attempts, thereby preventing attackers from bypassing critical security mechanisms in web applications.
Impact
- Security Bypass
- Gain Access
Indicators of Compromise
CVE
- CVE-2025-55315
Affected Vendors
- Microsoft
Affected Products
- Microsoft ASP.NET Core 8.0
- Microsoft Visual Studio 2022 version 17.10
- Microsoft visual studio 2022 version 17.12
- Microsoft Visual Studio 2022 version 17.14
- Microsoft ASP.NET Core 2.3
- Microsoft ASP.NET Core 9.0
Remediation
- Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
- Install the patched ASP.NET Core runtime/SDK versions 8, 9, or 10.
- Upgrade Microsoft.AspNetCore.Server.Kestrel.Core to version 2.3.6 or later.
- Apply third-party patches or upgrade if using .NET 6 or earlier.
- Ensure proxies normalize HTTP requests and detect request smuggling attempts.
- Pay attention to HttpRequest.Body, HttpRequest.BodyReader, or similar methods that handle request data.
- Use tools like the ASP.NET Core console application released by Hayden Barnes to test chunked transfer and newline parsing behavior.
- Validate input properly, handle requests consistently, and avoid proxy-like processing that could be exploited.