Microsoft fixes one of its "highest ever" rated security flaws - here's what happened

News
By published

An “HTTP request smuggling bug” was found in ASP.NET Core

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)
  • CVE-2025-55315 enables HTTP request smuggling in ASP.NET Core’s Kestrel web server
  • Attackers can bypass controls, access credentials, alter files, or crash the server
  • Microsoft released updates for affected .NET and Visual Studio versions to mitigate the flaw

Microsoft has confirmed it recently fixed its “highest ever” vulnerability plaguing its ASP.NET Core product.

Described as an “HTTP request smuggling bug”, the vulnerability is tracked as CVE-2025-55315, and was given a severity score of 9.9/10 (critical).

It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests within the original request.

How to update

The smuggled one can help the attackers bypass different security controls; it was explained.

"An attacker who successfully exploited this vulnerability could view sensitive information such as other user's credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability)," Microsoft explained in its security advisory.

Depending on which versions you are running, there are different ways to secure your infrastructure from potential attacks.

Those running .NET 8 or later should install the .NET update from Microsoft Update, while those running .NET 2.3 should update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile the application, and redeploy. Those running a self-contained/single-file application should install the .NET update, recompile, and redeploy.

Microsoft has also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.

On GitHub, .NET security technical program manager Barry Dorrans said that the bug’s score would be “nowhere near that high”, but scores are based on how the bug might affect applications built on top of ASP.NET, so it really comes down to each individual app:

“We don't know what's possible because it's dependent on how you've written your app,” he said. “Thus, we score with the worst possible case in mind, a security feature bypass which changes scope.”

Via The Register

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.