ASP.NET Core Kestrel Vulnerability

XICOR

Microsoft released a security update addressing a severe vulnerability, CVE-2025-55315, in ASP.NET Core’s Kestrel web server. The flaw allows an authorized attacker to perform HTTP request smuggling, bypass security controls, and carry out elevated actions such as privilege escalation, SSRF, session hijacking or unauthorized request execution.

CVE: CVE-2025-55315

Severity: Critical (9.9)

Systems Affected: Applications built on ASP.NET Core <= 8.0.20,<= 9.0.9 and <= 10.0.0-rc.1.25451.107 running Kestrel server, including cloud services and on-prem deployments.

Current Status: Microsoft released updates for all supported platforms; unpatched systems remain at serious risk.

Impact: Security feature bypass, request manipulation, privilege escalation, SSRF, session hijack, potential data access.

ADVISORY OVERVIEW
▪ CVE-2025-55315: Inconsistent interpretation of http requests (‘http request/response smuggling’) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
▪ A critical HTTP request-smuggling vulnerability in ASP.NET Core’s Kestrel server allows specially crafted requests using conflicting Content-Length or Transfer-Encoding headers, or malformed chunked data to be misinterpreted. This flaw enables attackers to smuggle hidden requests, potentially bypassing authentication and authorization, performing SSRF, hijacking sessions, or escalating privileges based on the application’s logic.
▪ Microsoft has released patches unpatched apps and poorly normalized proxies remain at high risk.

RECOMMENDATIONS
▪ Update all ASP.NET Core runtimes and hosting bundles to the latest versions as published by Microsoft.
▪ Audit web apps for manual request parsing, raw socket handling, or reliance on Content-Length/Transfer-Encoding semantics for security decisions
▪ Ensure reverse proxies, load-balancers and web-application firewalls are updated.
▪ Monitor and hunt for anomalous request sequences indicating possible smuggling
▪ If feasible isolate internal APIs, enforce zero-trust access, and apply least privilege for web-exposed services.
▪ Implement Conditional Access policies that require device compliance and MFA for any OAuth consent step that requests elevated scopes.

REFERENCES
▪ https://www.microsoft.com/en-us/msrc/blog/2025/10/understanding-cve-2025-55315
▪ https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55315
▪ https://cybersecuritynews.com/microsoft-details-asp-net-vulnerability