AI description
CVE-2025-55315 is a security vulnerability affecting ASP.NET Core, specifically the Kestrel web server. It stems from an inconsistent interpretation of HTTP requests, leading to HTTP request smuggling. This vulnerability allows an unauthenticated attacker to smuggle HTTP requests. Successful exploitation of CVE-2025-55315 could allow attackers to bypass security controls, potentially exposing sensitive information like user credentials, modifying files on the server, or even causing a server crash. The vulnerability can be exploited to perform actions such as user spoofing, server-side request forgery, bypassing cross-site request forgery (CSRF) protections, and injection attacks. To mitigate this vulnerability, Microsoft has released security updates for various versions of ASP.NET Core.
- Description
- Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
- Source
- secure@microsoft.com
- NVD status
- Modified
- Products
- asp.net_core, visual_studio_2022
CVSS 3.1
- Type
- Secondary
- Base score
- 9.9
- Impact score
- 6
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
- Severity
- CRITICAL
- secure@microsoft.com
- CWE-444
- Hype score
- Not currently trending
CVE-2025-55315 scored 9.9 for a reason: remote, low-complexity, and able to bypass standard authorization. RavenDB users, your databases are safe. We tested the exploit—blocked at the connection level with mutual TLS and custom authorization. No certificate, no access. Period
@RavenDB
4 Dec 2025
88 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#VulnerabilityReport #ASPNET Critical .NET Flaw (CVE-2025-55315) in QNAP: NAS Backup Utility Vulnerable to Credential Theft https://t.co/hNj3gXLUQs
@Komodosec
3 Dec 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New plugin: KestrelPlugin (CVE-2025-55315). Kestrel HTTP request smuggling vulnerability detection. Results: https://t.co/NF6nobBRm1 https://t.co/0lkBSkpIBD
@leak_ix
2 Dec 2025
727 Impressions
1 Retweet
7 Likes
1 Bookmark
0 Replies
0 Quotes
Microsoft just patched CVE-2025-55315, a 9.9/10 critical flaw in ASP NET Core / Kestrel that enables HTTP request smuggling & security-feature bypass. This vulnerability lets attackers hide a second HTTP request inside another one — bypassing proxies or headers parsing,
@ox0ffff
30 Nov 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft just patched CVE-2025-55315, a 9.9/10 critical flaw in https://t.co/6Fl0SdL6mX Core / Kestrel that enables HTTP request smuggling & security-feature bypass. This vulnerability lets attackers hide a second HTTP request inside another one — bypassing proxies or hea
@ox0ffff
30 Nov 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#VulnerabilityReport CVE-2025-55315: Critical 9.9/10 Flaw in https://t.co/aMlHWIBBDB Core Enables Unauthenticated Attack https://t.co/tCDlEIQ7Iq
@Komodosec
27 Nov 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
HTTP Request Smuggling in Kestrel via chunk extensions (CVE-2025-55315) https://t.co/rF3ZHa3DB6
@_r_netsec
22 Nov 2025
532 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
How I Found the Worst https://t.co/8oXALmcQjW Vulnerability — A $10K Bug (CVE-2025-55315) - Siddhant Kalgutkar https://t.co/8fYP9IJvqD
@pentest_swissky
20 Nov 2025
7435 Impressions
19 Retweets
120 Likes
96 Bookmarks
2 Replies
0 Quotes
Snyk is referencing CVE-2025-55315-repro (and @andrewlocknet's blog) in their vulnerability database entry for CVE-2025-55315 https://t.co/eS54fojluv
@unixterminal
20 Nov 2025
947 Impressions
1 Retweet
2 Likes
1 Bookmark
1 Reply
0 Quotes
HTTP Request Smuggling in Kestrel via chunk extensions (CVE-2025-55315) https://t.co/rF3ZHa3DB6
@_r_netsec
16 Nov 2025
758 Impressions
0 Retweets
5 Likes
3 Bookmarks
0 Replies
0 Quotes
Für alle die gerne Updates von .NET auslassen- nun ist es höchste Zeit: Kritische Sicherheitslücke in https://t.co/VZaj4c2H1D Core entdeckt (CVE-2025-55315). Über HTTP Request Smuggling lassen sich Sicherheitsmechanismen umgehen.
@tkansy
16 Nov 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
HTTP Request Smuggling in Kestrel via chunk extensions (CVE-2025-55315) https://t.co/rF3ZHa3DB6
@_r_netsec
15 Nov 2025
618 Impressions
0 Retweets
0 Likes
2 Bookmarks
0 Replies
0 Quotes
GitHub - ZemarKhos/CVE-2025-55315-PoC-Exploit: CVE-2025-55315 PoC Exploit https://t.co/7xowWtZCgW
@akaclandestine
11 Nov 2025
2024 Impressions
7 Retweets
22 Likes
16 Bookmarks
0 Replies
0 Quotes
HTTP Request Smuggling in Kestrel via chunk extensions (CVE-2025-55315) https://t.co/6l8axqztxi https://t.co/gsmsYXmiJU
@secharvesterx
10 Nov 2025
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Unmasking Kestrel's CVSS 99 Request Smuggling Flaw: A Deep Dive into #CVE-2025-55315 https://t.co/qF09zGpNqY Educational Purposes!
@UndercodeUpdate
10 Nov 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#exploit #AppSec 1⃣ CVE-2025-55315: ASP NET Core vulnerability https://t.co/L0EuqEIyCw // A critical HTTP request smuggling vulnerability in ASP NET Core’s Kestrel server 2⃣ Chromium Browser DoS Attack via document.title Exploitation https://t.co/VXX6KNvgtM // This is not
@ksg93rd
10 Nov 2025
181 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
🔴 CVE-2025-55315 https://t.co/CuYHimdXa2 Vulnerability - 9.9 CVSS Smuggling Risk Praetorian discovered a critical HTTP request smuggling vulnerability in https://t.co/CuYHimdXa2 Core's Kestrel server that earned a rare 9.9 CVSS score and $10K bounty from Microsoft. What's
@the_c_protocol
8 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Praetorian engineer Siddhant Kalgutkar uncovered CVE-2025-55315, a critical https://t.co/DGfhbQWmBu vulnerability that earned a $10K bounty and prompted a major security fix from Microsoft. A powerful example of the skill, curiosity, and depth that define offensive engineering at
@praetorianlabs
7 Nov 2025
427 Impressions
3 Retweets
6 Likes
4 Bookmarks
0 Replies
0 Quotes
🟢 CVE-2025-55315 (CVSS 9.9) :Critical Flaw in https://t.co/PhwG3VQlS1 Core Enables Unauthenticated Attack 👉PoC:https://t.co/Ftfp5b6gOu 🥳Dork: HUNTER : https://t.co/CWslYmAyts="https://t.co/PhwG3VQlS1 Core" ➡️Refer:https://t.co/mjWTPFLD2w ➡️https://t.co/qnpnte4
@Anastasis_King
6 Nov 2025
86 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
¿Conoces la vulnerabilidad CVE-2025-55315? ¿Sabes usar channels y background services para crear un gestor de jobs? ¿Y que puedes ahorrar tokens usando TOON? ¿Y trabajar con strings eficientemente? Esto y más en la recopilación semanal de @jmaguilar ➡️ https://t.co/OrER
@variablnotfound
3 Nov 2025
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/XNv1gpdVt4
@Minimal_Mirai
2 Nov 2025
200 Impressions
0 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 by @andrewlocknet https://t.co/BWyB1VTuYB #aspnetcore https://t.co/bZWDXNCsQq
@aspnetcore_news
1 Nov 2025
2431 Impressions
7 Retweets
24 Likes
14 Bookmarks
0 Replies
0 Quotes
🚨❗ The worst .NET vulnerability ever: request smuggling CVE-2025-55315 with a CVSS score of 9.9 The smuggled request could cause your application code to 👉 Login as a different user (EOP) 👉 Make an internal request (SSRF) 👉 Bypass CSRF checks 👉 Perform an inj
@IntCyberDigest
29 Oct 2025
14739 Impressions
33 Retweets
180 Likes
109 Bookmarks
1 Reply
3 Quotes
Microsoft Warns of Critical https://t.co/zNmNRGHb3d Request Smuggling Flaw Microsoft released a critical security update fixing CVE-2025-55315, a high-severity flaw in https://t.co/zNmNRGHb3d Core's Kestrel server enabling HTTP request smuggling attacks. With a CVSS score of htt
@Secwiserapp
29 Oct 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT ALERT: Critical vulnerability CVE-2025-55315 (CVSS 9.9) discovered in https://t.co/oVczww8QcE Core Kestrel. This security bypass enables HTTP request smuggling, risking privilege escalation and SSRF. Patch immediately to secure your servers! #CyberSecurity #infosec https:/
@RoelofMol
29 Oct 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-55315について、kestrelにリクエストを投げると確かに2個のリクエストが処理されている。 ただ、nginxに投げても1個のリクエストしか処理されない感じ。フロントエンドにnginx (※)を使っている場合は問題
@sonnakotonaiaru
29 Oct 2025
59 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
📰 Criminal IP サイバーニュース!10月28日版 最近起きた世界のサイバー事件をまとめてチェック✅ ⚠️ QNAPの #Windows バックアップソフトに重大https://t.co/dDXiVXYvJi脆弱性(CVE-2025-55315) https://t.co/CJaRXVPw2V
@CriminalIP_JP
29 Oct 2025
136 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Understanding CVE-2025-55315: What CISOs, security engineers, and sysadmins should know: https://t.co/R7g878kUJ0 #microsoft #aspnet #vulnerability #cve #informationsecurity #infosec #cybersecurity #exploitation https://t.co/jh6sLhidl5
@blackstormsecbr
28 Oct 2025
163 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Microsoft has addressed CVE-2025-55315, a vulnerability related to HTTP request handling. This update strengthens security and helps reduce risks such as privilege escalation or SSRF. To stay protected, apply the latest patch, review your request handling logic, and confirm proxy
@msftsecresponse
28 Oct 2025
20353 Impressions
38 Retweets
120 Likes
62 Bookmarks
0 Replies
2 Quotes
QNAP NetBak PC Agent is impacted by a critical https://t.co/PGRGNLeuSX Core flaw CVE-2025-55315 (CVSS 9.9) allowing HTTP request smuggling to hijack credentials and expose backup data. Microsoft patched in Oct 2025. #NetBakAgent #WindowsPatch #Taiwan https://t.co/Ans6th9Qg4
@TweetThreatNews
28 Oct 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Blogged: Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/89TCJvjnNF In this post I discuss request smuggling, the recent vulnerability in #AspNetCore with a severity score of 9.9, and how attackers could exploit it #dotnet
@andrewlocknet
28 Oct 2025
12708 Impressions
29 Retweets
148 Likes
110 Bookmarks
0 Replies
4 Quotes
WARNING: QNAP NAS Backup Flaw (CVE-2025-55315) Can Steal Your Credentials - Patch NOW! Read the full report on - https://t.co/thW8SgSzKg https://t.co/BoEDSDVWnU
@Iambivash007
28 Oct 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Security Bulletin: https://t.co/ilh2NitSie Core HTTP Request Smuggling (CVE-2025-55315, CVSS 9.9) enables injected requests that bypass security features and compromise backend apps. Exploit confirmed. Patch immediately. #ThreatIntel #RedLeggCTI https://t.co/y0wsn3on4R
@RedLegg
28 Oct 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/EHIErzKDvG
@jedisct1
28 Oct 2025
700 Impressions
2 Retweets
5 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2025-55315 “If you are running ASP .NET Core using <=.NET Core 3.0, .NET Core 3.1, .NET 5, .NET 6 (unless supported by HeroDevs), or .NET 7, then you are vulnerable, and there are no patches.” https://t.co/kmBbVppiZy
@_mattata
28 Oct 2025
7425 Impressions
23 Retweets
78 Likes
47 Bookmarks
0 Replies
1 Quote
> Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/AVSjpBC1HE https://t.co/6xzB3kRexs
@PaulomorgadoN
28 Oct 2025
98 Impressions
1 Retweet
2 Likes
2 Bookmarks
0 Replies
0 Quotes
Critical QNAP .NET Flaw Allows Security Bypass A critical vulnerability (CVE-2025-55315) affects QNAP's NetBak PC Agent via https://t.co/zNmNRGHb3d Core, enabling HTTP Request Smuggling attacks. This flaw bypasses security controls, risking unauthorized access and data https://t
@Secwiserapp
28 Oct 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 QNAP advierte de una vulnerabilidad crítica de https://t.co/ANjMDSakg8 en su software de backup de Windows ⚠️ CVE-2025-55315 https://t.co/14tfN9A4X7 https://t.co/Bnl7bnz9Bi
@elhackernet
27 Oct 2025
2865 Impressions
0 Retweets
9 Likes
4 Bookmarks
0 Replies
0 Quotes
How to fix CVE-2025-55315 https://t.co/G6vW1bZBnJ https://t.co/ADipyXFqhB
@markpahulje
27 Oct 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidades en productos Microsoft ❗CVE-2025-55315 ➡️Más info: https://t.co/FSWgi7l7DW https://t.co/CKZfAWuKY0
@CERTpy
23 Oct 2025
141 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-55315 https://t.co/X2dEV8Gysi Security Feature Bypass Vulnerability https://t.co/Imwy62H4QF #cybersecurity #SecQube
@SecQube
23 Oct 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft、https://t.co/MFkiJlwQJX Coreの重大な脆弱性 CVE-2025-55315を公表 https://t.co/fjAd2brVJa #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
22 Oct 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Se ha confirmado la vulnerabilidad CVE-2025-55315 con severidad CVSS 9.9, la cual afecta a https://t.co/Ez9h48qhXc Core (versiones 6.0.0 ≤ v ≤ 6.0.36, 8.0.0 ≤ v ≤ 8.0.20, 9.0.0 ≤ v ≤ 9.0.9) y al componente Kestrel.Core ≤ 2.3.6. La falla permite manipular encabezados
@tpx_Security
22 Oct 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Wir haben einen Hotfix veröffentlicht, der Probleme mit der Syslog-Protokollierung behebt und die neuesten Microsoft ASP NET Core-Sicherheitspatches (CVE-2025-55315) enthält. Lesen Sie unseren neuesten Blogbeitrag, um mehr zu erfahren
@3CX_DACH
22 Oct 2025
55291 Impressions
0 Retweets
10 Likes
1 Bookmark
0 Replies
0 Quotes
Update 7 Hotfix Wir haben einen Hotfix veröffentlicht, der Probleme mit der Syslog-Protokollierung behebt und die neuesten Microsoft https://t.co/2prAbvD7ay Core-Sicherheitspatches (CVE-2025-55315) enthält. Mehr hier: https://t.co/m7krcmqway #3CX #Update7 #Sicherheitsupdate
@3CX_DACH
22 Oct 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Nous avons sorti un correctif qui résout les problèmes de journalisation syslog et inclut les derniers patches de sécurité Microsoft https://t.co/ccUmHPmEa1 Core (CVE-2025-55315). Lisez notre dernier article pour en savoir plus. https://t.co/sg6jS8Iuck https://t.co/UQgm1fQlX7
@3CX_France
22 Oct 2025
85 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Is this real or a joke CVE-2025-55315 ? https://t.co/9fUTjaTjuF Core is vulnerable to http request smuggling !!!! And why is no one talking about it? https://t.co/o7darxqsL5 https://t.co/b9nZASxnHu
@h4x0r_dz
21 Oct 2025
25851 Impressions
51 Retweets
375 Likes
227 Bookmarks
6 Replies
0 Quotes
Waspada Dev! CVE-2025-55315 (CVSS 9.9) di https://t.co/k8SOwsic6l Core bikin HTTP smuggling gampang banget. 489K+ layanan kebuka lebar via Hunter! PoC Python-nya udah siap test. Udah patch belum nih? Share pengalamanmu! #CyberSec #Vuln [Attach image: PoC Code Snippet] Quote
@BJORKANISM_REAL
21 Oct 2025
134 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🔥Criminal IP Cyber News – 10월 21일🔥 🔓 #마이크로소프트, https://t.co/FMzPJeULxP Core 최고 심각도 취약점 패치 HTTP 요청 스머글링 버그(CVE-2025-55315)로 인증 공격자가 다른 사용자 계정 탈취·서버 파일 변경 가능
@CriminalIP_KR
21 Oct 2025
100 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨🚨CVE-2025-55315 (CVSS: 9.9) : https://t.co/qsOziXctBq Kestrel HTTP Request and Response Smuggling https://t.co/qsOziXctBq Kestrel has inconsistencies in HTTP parsing that allow an authenticated attacker to bypass network defenses via HTTP request/response smuggling. 🔥
@zoomeye_team
21 Oct 2025
8501 Impressions
38 Retweets
145 Likes
72 Bookmarks
1 Reply
1 Quote
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3FFD93B1-E2BC-4183-AF00-E8076AE481EB",
"versionEndExcluding": "2.3.6",
"versionStartIncluding": "2.3.0"
},
{
"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CF3C03E8-F428-4E48-9E44-C2BFB5063C93",
"versionEndExcluding": "8.0.21",
"versionStartIncluding": "8.0.0"
},
{
"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "79900862-C5E8-49CC-B3CB-C29E8E105462",
"versionEndExcluding": "9.0.10",
"versionStartIncluding": "9.0.0"
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D1CC80FE-4DE3-4AC2-AB45-AEEE2A90B3ED",
"versionEndExcluding": "17.10.20",
"versionStartIncluding": "17.10.0"
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "30CA6B37-C8AE-47E1-AC0C-64A092CD880D",
"versionEndExcluding": "17.12.13",
"versionStartIncluding": "17.12.10"
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B906E822-E6EF-4890-A100-4BA93187BCD6",
"versionEndExcluding": "17.14.17",
"versionStartIncluding": "17.14.0"
}
],
"operator": "OR"
}
]
}
]