Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

CVE-2025-55315 is an HTTP request smuggling bug leading to information leaks, file content tampering, and server crashes.

ASP.NET vulnerability

Microsoft’s October Patch Tuesday updates addressed a critical-severity vulnerability in the ASP.NET Core open source web development framework.

Tracked as CVE-2025-55315, the flaw has a CVSS score of 9.9, which .NET security program manager Barry Dorrans says was the “highest ever” for an ASP.NET Core issue.

The issue is described as an HTTP request smuggling bug that could be used to bypass a security feature over the network. It was discovered in Kestrel, ASP.NET Core’s built-in web server.

Essentially, the security defect allows attackers to trigger various application behaviors by hiding an HTTP request in another request.

“An attacker who successfully exploited this vulnerability could smuggle another HTTP request and bypass front-end security controls or hijack other users’ credentials,” Microsoft explains.

The tech giant says the vulnerability can be exploited to leak sensitive information such as user credentials, tamper with file contents, or cause a denial-of-service (DoS) condition by forcing a crash within the server.

Advertisement. Scroll to continue reading.

“In this case, the vulnerable component and the impacted component are different and managed by different security authorities,” Microsoft notes.

According to Dorrans, while the issue was identified in ASP.NET Core, its actual impact differs based on how the applications have been built.

Attackers, Dorrans explains, can exploit the flaw to log in as another user, make internal requests, bypass CSRF checks, and perform injection attacks.

Software that performs actions involving requests could prove problematic, applications that only append to logs and do not handle authentication may miss log entries, while those performing authentication based on specific rules may be targeted for elevation of privilege.

“Thus, we score with the worst possible case in mind, a security feature bypass which changes scope. Is that likely? No, probably not unless your application code is doing something odd and skips a bunch of checks that it ought to be making on every request,” Dorrans says.

Microsoft addressed the vulnerability with updates for Microsoft Visual Studio 2022 versions 17.14, 17.12, and 17.10, and for ASP.NET Core versions 2.3, 8.0, 9.0, and 10.0 RC1. It also released Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.6 with fixes for the bug.

Related: Gladinet Patches Exploited CentreStack Vulnerability

Related: Vulnerabilities Allow Disruption of Phoenix Contact UPS Devices

Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones

Related: Malicious Code on Unity Website Skims Information From Hundreds of Customers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.