Full Report
Flaw in Kestrel web server allowed request smuggling, impact depends on hosting setup and application code Microsoft has patched an ASP.NET Core vulnerability with a CVSS score of 9.9, which security program manager Barry Dorrans said was "our highest ever." The flaw is in the Kestrel web server component and enables security bypass.…
Analysis Summary
# Microsoft patches ASP.NET Core bug rated highly critical • The Register
## Key Points
- Microsoft has patched a high-risk vulnerability in ASP.NET Core with a CVSS score of 9.9, its highest ever.
- The flaw allows request smuggling, which can bypass security checks and perform actions like logging in as a different user or injecting attacks.
- The risk depends on the application's code and configuration; patching is recommended but not all applications may be immediately vulnerable.
## Threat Actors
- [Microsoft]
- Associated groups/campaigns: N/A
## TTPs
- Request smuggling
- MITRE ATT&CK reference: Not specified
- Description: Enabling an extra request to be hidden inside another one, including cases where the first request does not require authentication but the smuggled one normally would.
## Affected Systems
- ASP.NET Core (all supported versions)
- .NET Framework (versions 8, 9, and 10 pre-release)
- Windows-only .NET Framework (version 2.3)
## Mitigations
- Patching the .NET SDK by downloading the latest version or updating to the latest version of Kestrel.Core via NuGet package manager.
- Self-contained deployment to bypass server-side dependency.
## Conclusion
The vulnerability's risk depends on application code and configuration; developers should evaluate risks and patch as soon as possible.