HTTP Request Smuggling Vulnerability in ASP.NET Core Kestrel Web Server
Summary
Hide ▲
Show ▼
Microsoft patched a high-severity HTTP request smuggling vulnerability (CVE-2025-55315) in the Kestrel web server for ASP.NET Core. The flaw could allow authenticated attackers to hijack user credentials or bypass security controls. The vulnerability affects multiple versions of ASP.NET Core and has been addressed with security updates. Microsoft advises developers and users to update their applications to mitigate potential attacks.
Timeline
-
17.10.2025 18:35 1 articles · 23h ago
High-severity HTTP request smuggling vulnerability in ASP.NET Core Kestrel web server
A critical HTTP request smuggling vulnerability (CVE-2025-55315) was discovered in the Kestrel web server for ASP.NET Core. The flaw allows authenticated attackers to hijack user credentials or bypass security controls. Microsoft has released security updates and advises developers to update and redeploy their applications to mitigate the risk.
Show sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35
Information Snippets
-
The vulnerability, CVE-2025-55315, is an HTTP request smuggling bug in the Kestrel web server for ASP.NET Core.
First reported: 17.10.2025 18:351 source, 1 articleShow sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35
-
Successful exploitation could allow attackers to view sensitive information, modify file contents, or crash the server.
First reported: 17.10.2025 18:351 source, 1 articleShow sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35
-
The flaw affects ASP.NET Core versions 2.3, 8.0, and 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.
First reported: 17.10.2025 18:351 source, 1 articleShow sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35
-
Developers are advised to update to the latest .NET versions, recompile, and redeploy their applications to mitigate the risk.
First reported: 17.10.2025 18:351 source, 1 articleShow sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35
-
The severity of the vulnerability depends on the specific ASP.NET application and its configuration.
First reported: 17.10.2025 18:351 source, 1 articleShow sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35
-
Potential impacts include privilege escalation, server-side request forgery, CSRF bypass, and injection attacks.
First reported: 17.10.2025 18:351 source, 1 articleShow sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35