Security Feature Bypass in ASP.NET Core by Microsoft
CVE-2025-55315

9.9CRITICAL

Key Information:

Vendor

Microsoft
Status
Asp.net Core 8.0
Asp.net Core 9.0
Asp.net Core 2.3
Microsoft Visual Studio 2022 Version 17.12
Vendor
CVE Published:
14 October 2025

Badges

🔥 Trending now📈 Trended📈 Score: 2,330👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-55315?

CVE-2025-55315 is a security feature bypass vulnerability found in Microsoft's ASP.NET Core framework, a widely used platform for building web applications and services. This vulnerability arises from an inconsistent interpretation of HTTP requests, commonly referred to as HTTP request/response smuggling. An authorized attacker can exploit this inconsistency to circumvent important security features, potentially leading to unauthorized access or manipulation of application data. This is especially detrimental to organizations relying on ASP.NET Core for their web applications, as it undermines the intended protections and could enable attackers to execute further exploits or disrupt service availability.

Potential impact of CVE-2025-55315

  1. Unauthorized Access: By bypassing security features, attackers could gain access to sensitive data or functionalities within the application, leading to data breaches that could compromise user confidentiality and integrity.

  2. Application Compromise: Exploitation of this vulnerability could facilitate further attacks, allowing malicious actors to perform unauthorized operations, which may result in system instability or additional security breaches.

  3. Reputational Damage: Organizations affected by this vulnerability could suffer significant reputational harm, as customers and stakeholders may lose trust in the security and reliability of their applications, potentially resulting in financial losses and diminished market position.

Affected Version(s)

ASP.NET Core 2.3 Unknown 2.3 < 2.3.6

ASP.NET Core 8.0 Unknown 8.0 < 8.0.21

ASP.NET Core 9.0 Unknown 9.0 < 9.0.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-55315-repro
Created by sirredbeard

News Articles

favicon imageSecurityWeek

‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

Microsoft has patched CVE-2025-55315, a critical vulnerability in the ASP.NET Core open source web development framework.

4 days ago

favicon imageBleepingComputer

Microsoft fixes highest-severity ASP.NET Core flaw ever

Earlier this week, Microsoft patched a vulnerability that was flagged with the

4 days ago

favicon imagetheregister.com

Microsoft patches ASP.NET Core bug rated highly critical

Microsoft has patched an ASP.NET Core vulnerability with a CVSS score of 9.9, which security program manager Barry Dorrans said was "our highest ever." The flaw is in the Kestrel web server component and...

5 days ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 📈

    Vulnerability started trending

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by theregister.com

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-55315 : Security Feature Bypass in ASP.NET Core by Microsoft