An “HTTP request smuggling bug” was found in ASP.NET Core
CVE-2025-55315 enables HTTP request smuggling in ASP.NET Core’s Kestrel web server
Attackers can bypass controls, access credentials, alter files, or crash the server
Microsoft released updates for affected .NET and Visual Studio versions to mitigate the flaw
Microsoft has confirmed it recently fixed its “highest ever” vulnerability plaguing its ASP.NET Core product.
Described as an “HTTP request smuggling bug”, the vulnerability is tracked as CVE-2025-55315, and was given a severity score of 9.9/10 (critical).
It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests within the original request.How to update
The smuggled one can help the attackers bypass different security controls; it was explained.
« An attacker who successfully exploited this vulnerability could view sensitive information such as other user’s credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability) », Microsoft explained in its security advisory.
