TL;DR
Microsoft has released a patch for a critical ASP.NET Core vulnerability in the Kestrel web server (CVE-2025-55315) that enables HTTP request smuggling. The flaw, scored 9.9 by Microsoft as a worst-case security feature bypass, affects supported ASP.NET Core versions and requires developers and server operators to update runtimes or packages depending on deployment model.
What happened
Microsoft disclosed and patched a severe vulnerability in the Kestrel component of ASP.NET Core that allows an attacker to smuggle an extra HTTP request inside another. This hidden request can be used to carry out actions that normally require authentication, bypass cross-site request forgery protections, or perform injection attacks, depending on how an application handles incoming requests. Security program manager Barry Dorrans said the issue earned a 9.9 CVSS rating as a worst-case scenario — a scoring choice driven by potential security feature bypass impact rather than the baseline behavior of ASP.NET Core alone. The vulnerability, tracked as CVE-2025-55315, affects all supported ASP.NET Core releases (including versions 8, 9, the 10 pre-release, and even ASP.NET Core 2.3). Microsoft recommends applying updates: either install the latest .NET SDK or upgrade the Kestrel.Core package (to 2.3.6) via NuGet. For framework-dependent deployments the server runtime must be updated; self-contained deployments require each application to be rebuilt and redeployed. Microsoft reports no known exploitation to date.
Why it matters
- A request-smuggling flaw can let an attacker perform actions behind the scenes that would normally require user authentication, increasing risk if app code assumes request integrity.
- Microsoft scored the bug 9.9 to reflect a plausible worst-case security feature bypass, raising the urgency for patching across environments.
- Remediation depends on deployment model: server-side runtime updates are required for framework-dependent apps, while self-contained apps need individual updates.
- Use of reverse proxies or gateways that strip malformed or smuggled requests can mitigate exposure in some deployments.
Key facts
- Vulnerability: CVE-2025-55315 in the Kestrel web server for ASP.NET Core.
- CVSS score: 9.9 — described by Microsoft as its highest ever, rated on a worst-case impact basis.
- Exploit type: HTTP request smuggling allowing an extra request to be hidden inside another.
- Potential impacts: bypassing authentication checks, defeating CSRF protections, and enabling injection attacks, depending on application behavior.
- Affected versions: all supported ASP.NET Core versions including 8, 9, 10 pre-release, and ASP.NET Core 2.3.
- Patching: update the .NET SDK or upgrade the Kestrel.Core NuGet package to 2.3.6; framework-dependent deployments require updating the server runtime.
- Deployment nuance: self-contained deployments include runtime files and therefore each such application must be updated individually.
- Mitigation: hosting behind a gateway or reverse proxy that removes smuggled requests can protect the application.
- Exploitation status: Microsoft states the vulnerability is not known to have been exploited in the wild.
What to watch next
- Whether any in-the-wild exploitation is reported — Microsoft currently says none is known.
- Patch adoption across servers running framework-dependent deployments versus self-contained apps.
- Not confirmed in the source: whether Microsoft will publish additional concrete examples of vulnerable application code patterns beyond the comments already made.
Quick glossary
- Kestrel: The built-in web server used by ASP.NET Core applications to receive and process HTTP requests.
- Request smuggling: An attack technique where an extra HTTP request is hidden inside another request, potentially bypassing server-side checks.
- CVSS: Common Vulnerability Scoring System — a standardized method for rating the severity of security vulnerabilities.
- Framework-dependent deployment: A .NET deployment model where applications rely on a shared runtime installed on the host system rather than bundling it.
- Self-contained deployment: A deployment that packages the application together with the .NET runtime, requiring each app to be updated when fixes are needed.
Reader FAQ
Is this vulnerability actively being exploited?
Microsoft reports the vulnerability is not known to be exploited in the wild.
Which versions of ASP.NET Core are affected?
All supported versions are affected, including ASP.NET Core 8, 9, the 10 pre-release, and ASP.NET Core 2.3.
How do I patch my applications?
Update the .NET SDK or upgrade the Kestrel.Core package to version 2.3.6 via NuGet; framework-dependent hosts need the server runtime updated, while self-contained apps must be rebuilt and redeployed.
Does placing Kestrel behind a proxy protect me?
If a gateway or proxy removes smuggled requests, it can protect the application, per Microsoft comments.
What application code patterns make a site vulnerable?
Not fully specified in the source; Microsoft staff said apps that act on requests and those that perform authentication-based access control may be at risk, but offered no definitive list.
SECURITY 3 Microsoft kills 9.9-rated ASP.NET Core bug – 'our highest ever' score Flaw in Kestrel web server allowed request smuggling, impact depends on hosting setup and application code Tim…
Sources
- Microsoft kills 9.9-rated ASP.NET Core bug – 'our highest ever' score
- Understanding CVE-2025-55315: What CISOs, security …
- Microsoft patches ASP.NET Core bug rated highly critical
- FAQ about CVE-2025-55315, the 9.9-rated CVE in ASP. …
Related posts
- Lloyds Banking Group says Microsoft Copilot saves employees 46 minutes daily
- Docker Compose path-traversal bug lets attackers write to host — update now
- Microsoft releases .NET 10 LTS, C# 14 and Visual Studio 2026 with Copilot