Microsoft has disclosed a serious security flaw in ASP.NET Core that enables authenticated attackers to smuggle HTTP requests and evade critical protections.
Tracked as CVE-2025-55315, the vulnerability stems from inconsistent handling of HTTP requests, a classic issue known as HTTP request/response smuggling.
Released on October 14, 2025, this flaw affects developers relying on the popular web framework for building secure applications.
With a CVSS v3.1 base score of 9.9 rated as “Critical” in impact the bug poses risks to confidentiality, integrity, and even limited availability of affected systems.
The vulnerability exploits a weakness classified under CWE-444, where servers misinterpret HTTP requests, allowing attackers to inject malicious payloads.
An authorized user with low privileges can send a crafted request over the network, bypassing front-end security controls like web application firewalls.
This could let them hijack other users’ sessions, steal sensitive credentials, or alter server files without detection. Microsoft’s analysis highlights that successful exploitation leads to high confidentiality and integrity losses (C:H, I:H), with low availability impact (A:L), potentially causing server crashes.
The scope changes (S:C) mean the attack ripples beyond the vulnerable component, affecting unrelated resources under different security authorities.
Exploitation Risks In Real-World Scenarios
Attackers need only low privileges and no user interaction, making this a low-complexity threat accessible via the network (AV:N, AC:L, PR:L, UI:N).
While no public exploits exist yet Microsoft deems exploitation “less likely” the unproven maturity (E:U) doesn’t diminish the urgency.
Imagine a corporate intranet where an insider crafts a smuggling request to impersonate an admin, accessing payroll data or injecting malware Or in e-commerce sites, where smuggled requests could siphon customer info during peak traffic.
The bug hits ASP.NET Core in .NET 8 and later versions, as well as older .NET 2.3 setups using the Kestrel server. Microsoft confirms no evidence of active exploitation, but the confirmed confidence (RC:C) and official fix (RL:O) underscore immediate action.
Developers on .NET 8+ should apply the latest Microsoft Update and restart applications. For .NET 2.3, update the Microsoft.AspNetCore.Server.Kestrel.Core package to version 2.3.6, recompile, and redeploy.
Self-contained apps require recompilation post-update. Broader remediation involves auditing HTTP parsing in custom middleware and enabling strict request validation.
This flaw revives concerns over HTTP smuggling, a tactic seen in past attacks on cloud services. As remote work expands attack surfaces, organizations must prioritize patching.
Microsoft urges scanning for vulnerable deployments and monitoring logs for anomalous requests. With the framework powering millions of web apps, unpatched systems risk data breaches or compliance violations.
Security teams should integrate this into vulnerability management workflows, especially given the framework’s role in enterprise stacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
.webp?w=218&resize=218,150&ssl=1 "Hackers Attacking Remote Desktop Protocol Services With 30,000+ New IP Addresses Daily")
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
