Kestrel ASP.NET Core web server HTTP request smuggling information disclosure flaw (CVE-2025-55315)
Vulnerability
Summary
Hide ▲
Show ▼
Microsoft patched CVE-2025-55315, an HTTP request smuggling flaw in the Kestrel ASP.NET Core web server that could let authenticated attackers hijack other users' credentials or bypass front-end security controls. The vulnerability also raised risk of sensitive-information disclosure, integrity changes, and service crashes in affected ASP.NET Core deployments. Microsoft released fixes across ASP.NET Core 2.3, 8.0, and 9.0 and the related Microsoft.AspNet.Server.Kestrel.Core package.
Related Happenings
ASP.NET Core Data Protection privilege escalation (CVE-2026-40372)
Vulnerability
First: 22.04.2026 11:08
Last: 22.04.2026 11:08
Sources 1
About this happening:
**CVE-2026-40372** in **ASP.NET Core Data Protection** can let **unauthenticated attackers** forge authentication cookies and gain **SYSTEM privileges** on affected devices. Micro...
ASP.NET Core Data Protection privilege escalation (CVE-2026-40372)
VulnerabilityAbout this happening: **CVE-2026-40372** in **ASP.NET Core Data Protection** can let **unauthenticated attackers** forge authentication cookies and gain **SYSTEM privileges** on affected devices. Micro...
ViewState deserialization attack wave (2025)
Exploitation Wave
First: 05.09.2025 01:05
Last: 05.09.2025 01:05
Sources 1
About this happening:
A **2025 ViewState deserialization attack wave** is continuing to expose **ASP.NET** deployments to **remote code execution** when machine keys are leaked or improperly protected....
ViewState deserialization attack wave (2025)
Exploitation WaveAbout this happening: A **2025 ViewState deserialization attack wave** is continuing to expose **ASP.NET** deployments to **remote code execution** when machine keys are leaked or improperly protected....
ASP.NET Core appsettings.json leak exposing Azure AD credentials
Data Leak
First: 02.09.2025 14:52
Last: 02.09.2025 14:52
Sources 1
About this happening:
A publicly accessible **appsettings.json** file exposed **Azure AD ClientId and ClientSecret** secrets, creating a direct path to **OAuth 2.0** authentication abuse and **cloud ac...
ASP.NET Core appsettings.json leak exposing Azure AD credentials
Data LeakAbout this happening: A publicly accessible **appsettings.json** file exposed **Azure AD ClientId and ClientSecret** secrets, creating a direct path to **OAuth 2.0** authentication abuse and **cloud ac...
Timeline
-
17.10.2025 18:35 2 articles · 7mo ago
Microsoft discloses and patches CVE-2025-55315 in Kestrel ASP.NET Core
Initial DisclosureMicrosoft patched CVE-2025-55315, an HTTP request smuggling flaw in the Kestrel ASP.NET Core web server that could let authenticated attackers smuggle another HTTP request to hijack other users' credentials or bypass front-end security controls. Microsoft said exploitation could also expose sensitive information, change file contents on the target server, or force a crash, and it released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, ASP.NET Core 9.0, and the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.
Show sources
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35
- Microsoft fixes highest-severity ASP.NET Core flaw ever — www.bleepingcomputer.com — 17.10.2025 18:35