—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

HTTP Request Smuggling Vulnerability in ASP.NET Core 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

ASP.NET Core versions 2.3, 8.0, and 9.0

Microsoft Visual Studio 2022 versions 17.10, 17.12, and 17.14

Overview

A critical vulnerability has been reported in ASP.NET Core that could allow a remote attacker to bypass security controls, access unintended resources, or cause a denial-of-service on the targeted system.

Target Audience:

System administrators, developers, and security teams managing or maintaining ASP.NET Core or Microsoft Visual Studio environments.

Risk Assessment:

High risk of data exposure, request tampering, and service disruption.

Impact Assessment:

Potential for unauthorised access, information disclosure, and service unavailability.

Description

A vulnerability exists in the Kestrel web server component of ASP.NET Core due to inconsistent interpretation of malformed HTTP requests. A remote attacker could exploit this flaw by sending specially crafted HTTP requests that are interpreted differently by intermediate and backend servers, leading to request smuggling.

Successful exploitation could allow an attacker to bypass security controls, access unintended resources, or cause a denial-of-service on the targeted system.

Solution

Apply the security updates released by Microsoft:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315

Vendor Information

Microsoft

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315

References

Microsoft

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315

CVE Name

CVE-2025-55315

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmj5678ACgkQ3jCgcSdc

ys/c6w//UKsgRvi4U3/8YB7eKzvb/D3JkVLNuN70RSm3A1tXp9I1h99PAKIZEI+N

xupfbm1SMWmjJz8BPDXEcopQ9WP/3GIthDtjkbqaxFtuuXqXbvvnWFckbS1Air7m

C5NaDu33aNeZWlN+vmIvHEgaPinG3d+2UkHnoz0eczHeCPfXJlsVf6ifIB3wtbBY

NfbnzAI0Jmrmvb94tTnWf30mnXfvqGJOxBWmPVBwtq+0m08y/FGt8MXiS2zoXCzg

18QBo0rZWm2MQzKm4axbJ39tOEft9QrElAWJVVWCuRCSoqmKzt4xSLBxLJ0vyXNY

0AJHvF5+8Hyeh1iMvjg5o+rFq5Ax3Cahn59DujrB5qfIOKmS5xyU6BBjoG6Sv1vK

npO9qy3oGhAYepK05FD7UQ2apV5LezNnpBQwUxcrcX1V1NggxbrL5qnIodJquYTd

3vO0DhKjBobr+w9XL0rDmI8kjenmHzovf4r0BkrQ5jr/Ntpxcde1TX2JfCOnOpXl

yGPi86MR3UG1z7t0cq0rt9D3oH9jpWLXWNDdh75W5/nvmFHENR8RkPeGX46+cLrA

zMQK+BoZ6g8Ett9cs7ucjKyfCQKPyZfS9gTZbV+pvAUeGfRvDwibUPchpwb2p4ck

AYmKXFfmOYAww5f35vZXQqewynHEBewSt3OdcsgY3fSFOpb0icY=

=VgO6

—–END PGP SIGNATURE—–