Full Report
Earlier this week, Microsoft patched a vulnerability that was flagged with the "highest ever" severity rating received by an ASP.NET Core security flaw. [...]
Analysis Summary
# Vulnerability: HTTP Request Smuggling in ASP.NET Core Kestrel Server
## CVE Details
- CVE ID: CVE-2025-55315
- CVSS Score: (Score not explicitly provided, but described as "highest ever" severity for an ASP.NET Core flaw)
- CWE: (Not explicitly provided, but related to HTTP protocol handling/smuggling)
## Affected Systems
- Products: Kestrel ASP.NET Core web server, Microsoft Visual Studio 2022, ASP.NET Core.
- Versions: ASP.NET Core 2.3, ASP.NET Core 8.0, ASP.NET Core 9.0 (Specific underlying packages need updating for 2.x).
- Configurations: Applies to ASP.NET Core applications utilizing the Kestrel web server.
## Vulnerability Description
This is an HTTP Request Smuggling vulnerability found in the Kestrel ASP.NET Core web server. Successful exploitation allows an authenticated attacker to smuggle an additional HTTP request past front-end security controls. Depending on the application's structure, this can lead to credential theft (hijacking other users' requests), bypassing CSRF checks, forcing Server-Side Request Forgery (SSRF) attacks, or performing injection attacks.
## Exploitation
- Status: (Not explicitly stated if exploited in the wild, but PoC implied by detail level and high severity)
- Complexity: Likely Medium to High, as the impact is highly dependent on the targeted application's code structure ("how you've written your app"). Requires the attacker to be authenticated.
- Attack Vector: Network
## Impact
- Confidentiality: Sensitive information such as other user's credentials could be viewed.
- Integrity: Changes to file contents on the target server could potentially be made.
- Availability: Server crash is possible.
## Remediation
### Patches
Microsoft has released security updates for:
* Microsoft Visual Studio 2022
* ASP.NET Core 2.3, 8.0, and 9.0.
* `Microsoft.AspNetCore.Server.Kestrel.Core` package for ASP.NET Core 2.x apps (Update to version 2.3.6).
### Workarounds
* If running .NET 8 or later: Install the security update via Microsoft Update and restart the application or reboot the machine.
* If running .NET 2.3: Update the package reference for `Microsoft.AspNet.Server.Kestrel.Core` to **2.3.6**, then recompile and redeploy the application.
* If running a self-contained/single-file application: Install the .NET update, recompile, and redeploy.
## Detection
- Detection methods would likely involve monitoring for unusual HTTP request framing or sequences that could indicate smuggling attempts, especially targeting authenticated endpoints.
- Specific Indicators of Compromise (IOCs) related to the application logic being bypassed (e.g., unexpected user context switching or SSRF requests originating from the application mid-session).
## References
- Vendor Advisory: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315#securityUpdates
- Discussion: http://github.com/dotnet/aspnetcore/issues/64033#issuecomment-3403054914