CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

HTTP Request Smuggling Vulnerability in ASP.NET Core Kestrel Web Server

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft patched a high-severity HTTP request smuggling vulnerability (CVE-2025-55315) in the Kestrel web server for ASP.NET Core. The flaw could allow authenticated attackers to hijack user credentials or bypass security controls. The vulnerability affects multiple versions of ASP.NET Core and has been addressed with security updates. Microsoft advises developers and users to update their applications to mitigate potential attacks.

Timeline

  1. 17.10.2025 18:35 1 articles · 23h ago

    High-severity HTTP request smuggling vulnerability in ASP.NET Core Kestrel web server

    A critical HTTP request smuggling vulnerability (CVE-2025-55315) was discovered in the Kestrel web server for ASP.NET Core. The flaw allows authenticated attackers to hijack user credentials or bypass security controls. Microsoft has released security updates and advises developers to update and redeploy their applications to mitigate the risk.

    Show sources

Information Snippets

  • The vulnerability, CVE-2025-55315, is an HTTP request smuggling bug in the Kestrel web server for ASP.NET Core.

    First reported: 17.10.2025 18:35
    1 source, 1 article
    Show sources
  • Successful exploitation could allow attackers to view sensitive information, modify file contents, or crash the server.

    First reported: 17.10.2025 18:35
    1 source, 1 article
    Show sources
  • The flaw affects ASP.NET Core versions 2.3, 8.0, and 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.

    First reported: 17.10.2025 18:35
    1 source, 1 article
    Show sources
  • Developers are advised to update to the latest .NET versions, recompile, and redeploy their applications to mitigate the risk.

    First reported: 17.10.2025 18:35
    1 source, 1 article
    Show sources
  • The severity of the vulnerability depends on the specific ASP.NET application and its configuration.

    First reported: 17.10.2025 18:35
    1 source, 1 article
    Show sources
  • Potential impacts include privilege escalation, server-side request forgery, CSRF bypass, and injection attacks.

    First reported: 17.10.2025 18:35
    1 source, 1 article
    Show sources