CVE-2025-55315

Published Oct 14, 2025

Last updated 13 days ago

CVSS critical 9.9
ASP.NET Core

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-55315 is a security vulnerability affecting ASP.NET Core, specifically the Kestrel web server. It stems from an inconsistent interpretation of HTTP requests, leading to HTTP request smuggling. This vulnerability allows an unauthenticated attacker to smuggle HTTP requests. Successful exploitation of CVE-2025-55315 could allow attackers to bypass security controls, potentially exposing sensitive information like user credentials, modifying files on the server, or even causing a server crash. The vulnerability can be exploited to perform actions such as user spoofing, server-side request forgery, bypassing cross-site request forgery (CSRF) protections, and injection attacks. To mitigate this vulnerability, Microsoft has released security updates for various versions of ASP.NET Core.

Description
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
Source
secure@microsoft.com
NVD status
Modified
Products
asp.net_core, visual_studio_2022

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Severity
CRITICAL

Weaknesses

secure@microsoft.com
CWE-444

Social media

Hype score
Not currently trending

  1. HTTP Request Smuggling in Kestrel via chunk extensions (CVE-2025-55315) https://t.co/6l8axqztxi https://t.co/gsmsYXmiJU

    @secharvesterx

    10 Nov 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Unmasking Kestrel's CVSS 99 Request Smuggling Flaw: A Deep Dive into #CVE-2025-55315 https://t.co/qF09zGpNqY Educational Purposes!

    @UndercodeUpdate

    10 Nov 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. #exploit #AppSec 1⃣ CVE-2025-55315: ASP NET Core vulnerability https://t.co/L0EuqEIyCw // A critical HTTP request smuggling vulnerability in ASP NET Core’s Kestrel server 2⃣ Chromium Browser DoS Attack via document.title Exploitation https://t.co/VXX6KNvgtM // This is not

    @ksg93rd

    10 Nov 2025

    106 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. 🔴 CVE-2025-55315 https://t.co/CuYHimdXa2 Vulnerability - 9.9 CVSS Smuggling Risk Praetorian discovered a critical HTTP request smuggling vulnerability in https://t.co/CuYHimdXa2 Core's Kestrel server that earned a rare 9.9 CVSS score and $10K bounty from Microsoft. What's

    @the_c_protocol

    8 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Praetorian engineer Siddhant Kalgutkar uncovered CVE-2025-55315, a critical https://t.co/DGfhbQWmBu vulnerability that earned a $10K bounty and prompted a major security fix from Microsoft. A powerful example of the skill, curiosity, and depth that define offensive engineering at

    @praetorianlabs

    7 Nov 2025

    427 Impressions

    3 Retweets

    6 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  6. 🟢 CVE-2025-55315 (CVSS 9.9) :Critical Flaw in https://t.co/PhwG3VQlS1 Core Enables Unauthenticated Attack 👉PoC:https://t.co/Ftfp5b6gOu 🥳Dork: HUNTER : https://t.co/CWslYmAyts="https://t.co/PhwG3VQlS1 Core" ➡️Refer:https://t.co/mjWTPFLD2w ➡️https://t.co/qnpnte4

    @Anastasis_King

    6 Nov 2025

    86 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ¿Conoces la vulnerabilidad CVE-2025-55315? ¿Sabes usar channels y background services para crear un gestor de jobs? ¿Y que puedes ahorrar tokens usando TOON? ¿Y trabajar con strings eficientemente? Esto y más en la recopilación semanal de @jmaguilar ➡️ https://t.co/OrER

    @variablnotfound

    3 Nov 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/XNv1gpdVt4

    @Minimal_Mirai

    2 Nov 2025

    200 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  9. Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 by @andrewlocknet https://t.co/BWyB1VTuYB #aspnetcore https://t.co/bZWDXNCsQq

    @aspnetcore_news

    1 Nov 2025

    2431 Impressions

    7 Retweets

    24 Likes

    14 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨❗ The worst .NET vulnerability ever: request smuggling CVE-2025-55315 with a CVSS score of 9.9 The smuggled request could cause your application code to 👉 Login as a different user (EOP) 👉 Make an internal request (SSRF) 👉 Bypass CSRF checks 👉 Perform an inj

    @IntCyberDigest

    29 Oct 2025

    14739 Impressions

    33 Retweets

    180 Likes

    109 Bookmarks

    1 Reply

    3 Quotes

  11. Microsoft Warns of Critical https://t.co/zNmNRGHb3d Request Smuggling Flaw Microsoft released a critical security update fixing CVE-2025-55315, a high-severity flaw in https://t.co/zNmNRGHb3d Core's Kestrel server enabling HTTP request smuggling attacks. With a CVSS score of htt

    @Secwiserapp

    29 Oct 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. URGENT ALERT: Critical vulnerability CVE-2025-55315 (CVSS 9.9) discovered in https://t.co/oVczww8QcE Core Kestrel. This security bypass enables HTTP request smuggling, risking privilege escalation and SSRF. Patch immediately to secure your servers! #CyberSecurity #infosec https:/

    @RoelofMol

    29 Oct 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2025-55315について、kestrelにリクエストを投げると確かに2個のリクエストが処理されている。 ただ、nginxに投げても1個のリクエストしか処理されない感じ。フロントエンドにnginx (※)を使っている場合は問題

    @sonnakotonaiaru

    29 Oct 2025

    59 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 📰 Criminal IP サイバーニュース!10月28日版​ 最近起きた世界のサイバー事件をまとめてチェック✅​ ​⚠️ QNAPの #Windows バックアップソフトに重大https://t.co/dDXiVXYvJi脆弱性(CVE-2025-55315)​ https://t.co/CJaRXVPw2V

    @CriminalIP_JP

    29 Oct 2025

    136 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Understanding CVE-2025-55315: What CISOs, security engineers, and sysadmins should know: https://t.co/R7g878kUJ0 #microsoft #aspnet #vulnerability #cve #informationsecurity #infosec #cybersecurity #exploitation https://t.co/jh6sLhidl5

    @blackstormsecbr

    28 Oct 2025

    163 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Microsoft has addressed CVE-2025-55315, a vulnerability related to HTTP request handling. This update strengthens security and helps reduce risks such as privilege escalation or SSRF. To stay protected, apply the latest patch, review your request handling logic, and confirm proxy

    @msftsecresponse

    28 Oct 2025

    20353 Impressions

    38 Retweets

    120 Likes

    62 Bookmarks

    0 Replies

    2 Quotes

  17. QNAP NetBak PC Agent is impacted by a critical https://t.co/PGRGNLeuSX Core flaw CVE-2025-55315 (CVSS 9.9) allowing HTTP request smuggling to hijack credentials and expose backup data. Microsoft patched in Oct 2025. #NetBakAgent #WindowsPatch #Taiwan https://t.co/Ans6th9Qg4

    @TweetThreatNews

    28 Oct 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Blogged: Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/89TCJvjnNF In this post I discuss request smuggling, the recent vulnerability in #AspNetCore with a severity score of 9.9, and how attackers could exploit it #dotnet

    @andrewlocknet

    28 Oct 2025

    12708 Impressions

    29 Retweets

    148 Likes

    110 Bookmarks

    0 Replies

    4 Quotes

  19. WARNING: QNAP NAS Backup Flaw (CVE-2025-55315) Can Steal Your Credentials - Patch NOW! Read the full report on - https://t.co/thW8SgSzKg https://t.co/BoEDSDVWnU

    @Iambivash007

    28 Oct 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Security Bulletin: https://t.co/ilh2NitSie Core HTTP Request Smuggling (CVE-2025-55315, CVSS 9.9) enables injected requests that bypass security features and compromise backend apps. Exploit confirmed. Patch immediately. #ThreatIntel #RedLeggCTI https://t.co/y0wsn3on4R

    @RedLegg

    28 Oct 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/EHIErzKDvG

    @jedisct1

    28 Oct 2025

    700 Impressions

    2 Retweets

    5 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  22. CVE-2025-55315 “If you are running ASP .NET Core using <=.NET Core 3.0, .NET Core 3.1, .NET 5, .NET 6 (unless supported by HeroDevs), or .NET 7, then you are vulnerable, and there are no patches.” https://t.co/kmBbVppiZy

    @_mattata

    28 Oct 2025

    7425 Impressions

    23 Retweets

    78 Likes

    47 Bookmarks

    0 Replies

    1 Quote

  23. > Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 https://t.co/AVSjpBC1HE https://t.co/6xzB3kRexs

    @PaulomorgadoN

    28 Oct 2025

    98 Impressions

    1 Retweet

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  24. Critical QNAP .NET Flaw Allows Security Bypass A critical vulnerability (CVE-2025-55315) affects QNAP's NetBak PC Agent via https://t.co/zNmNRGHb3d Core, enabling HTTP Request Smuggling attacks. This flaw bypasses security controls, risking unauthorized access and data https://t

    @Secwiserapp

    28 Oct 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨 QNAP advierte de una vulnerabilidad crítica de https://t.co/ANjMDSakg8 en su software de backup de Windows ⚠️ CVE-2025-55315 https://t.co/14tfN9A4X7 https://t.co/Bnl7bnz9Bi

    @elhackernet

    27 Oct 2025

    2865 Impressions

    0 Retweets

    9 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  26. How to fix CVE-2025-55315 https://t.co/G6vW1bZBnJ https://t.co/ADipyXFqhB

    @markpahulje

    27 Oct 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. ⚠️Vulnerabilidades en productos Microsoft ❗CVE-2025-55315 ➡️Más info: https://t.co/FSWgi7l7DW https://t.co/CKZfAWuKY0

    @CERTpy

    23 Oct 2025

    141 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. CVE-2025-55315 https://t.co/X2dEV8Gysi Security Feature Bypass Vulnerability https://t.co/Imwy62H4QF #cybersecurity #SecQube

    @SecQube

    23 Oct 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. Microsoft、https://t.co/MFkiJlwQJX Coreの重大な脆弱性 CVE-2025-55315を公表 https://t.co/fjAd2brVJa #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    22 Oct 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Se ha confirmado la vulnerabilidad CVE-2025-55315 con severidad CVSS 9.9, la cual afecta a https://t.co/Ez9h48qhXc Core (versiones 6.0.0 ≤ v ≤ 6.0.36, 8.0.0 ≤ v ≤ 8.0.20, 9.0.0 ≤ v ≤ 9.0.9) y al componente Kestrel.Core ≤ 2.3.6. La falla permite manipular encabezados

    @tpx_Security

    22 Oct 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Wir haben einen Hotfix veröffentlicht, der Probleme mit der Syslog-Protokollierung behebt und die neuesten Microsoft ASP NET Core-Sicherheitspatches (CVE-2025-55315) enthält. Lesen Sie unseren neuesten Blogbeitrag, um mehr zu erfahren

    @3CX_DACH

    22 Oct 2025

    55291 Impressions

    0 Retweets

    10 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  32. Update 7 Hotfix Wir haben einen Hotfix veröffentlicht, der Probleme mit der Syslog-Protokollierung behebt und die neuesten Microsoft https://t.co/2prAbvD7ay Core-Sicherheitspatches (CVE-2025-55315) enthält. Mehr hier: https://t.co/m7krcmqway #3CX #Update7 #Sicherheitsupdate

    @3CX_DACH

    22 Oct 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. Nous avons sorti un correctif qui résout les problèmes de journalisation syslog et inclut les derniers patches de sécurité Microsoft https://t.co/ccUmHPmEa1 Core (CVE-2025-55315). Lisez notre dernier article pour en savoir plus. https://t.co/sg6jS8Iuck https://t.co/UQgm1fQlX7

    @3CX_France

    22 Oct 2025

    85 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Is this real or a joke CVE-2025-55315 ? https://t.co/9fUTjaTjuF Core is vulnerable to http request smuggling !!!! And why is no one talking about it? https://t.co/o7darxqsL5 https://t.co/b9nZASxnHu

    @h4x0r_dz

    21 Oct 2025

    25851 Impressions

    51 Retweets

    375 Likes

    227 Bookmarks

    6 Replies

    0 Quotes

  35. Waspada Dev! CVE-2025-55315 (CVSS 9.9) di https://t.co/k8SOwsic6l Core bikin HTTP smuggling gampang banget. 489K+ layanan kebuka lebar via Hunter! PoC Python-nya udah siap test. Udah patch belum nih? Share pengalamanmu! #CyberSec #Vuln [Attach image: PoC Code Snippet] Quote

    @BJORKANISM_REAL

    21 Oct 2025

    134 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🔥Criminal IP Cyber News – 10월 21일🔥​ 🔓 #마이크로소프트, https://t.co/FMzPJeULxP Core 최고 심각도 취약점 패치​ HTTP 요청 스머글링 버그(CVE-2025-55315)로 인증 공격자가 다른 사용자 계정 탈취·서버 파일 변경 가능​

    @CriminalIP_KR

    21 Oct 2025

    100 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  37. 🚨🚨CVE-2025-55315 (CVSS: 9.9) : https://t.co/qsOziXctBq Kestrel HTTP Request and Response Smuggling https://t.co/qsOziXctBq Kestrel has inconsistencies in HTTP parsing that allow an authenticated attacker to bypass network defenses via HTTP request/response smuggling. 🔥

    @zoomeye_team

    21 Oct 2025

    8501 Impressions

    38 Retweets

    145 Likes

    72 Bookmarks

    1 Reply

    1 Quote

  38. ‘Highest Ever’ Severity Score Assigned by Microsoft - CVE-2025-55315 - https://t.co/XAUfsbAcbx

    @SecurityWeek

    20 Oct 2025

    4812 Impressions

    9 Retweets

    31 Likes

    10 Bookmarks

    0 Replies

    1 Quote

  39. click bait headline but still valid #ITSecurity ‘Highest Ever’ Severity Score Assigned by Microsoft to https://t.co/RTXe4LfXc9 Core Vulnerability CVE-2025-55315 is an HTTP request smuggling bug leading to information leaks, file content tampering, and server crashes.

    @seaarepea

    19 Oct 2025

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. Abbreviated Reproduction of CVE-2025-55315 (Critical 9.9 https://t.co/pQViwsfEm8 Kestrel HTTP Request and Response Smuggling) https://t.co/fTUCjLnspm https://t.co/6FCCeZAFCA

    @freedomhack101

    18 Oct 2025

    166 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 🚨 The Kestrel Conundrum: Deconstructing the Critical #CVE-2025-55315 Request Smuggling Vulnerability https://t.co/u5NtYnerIN Educational Purposes!

    @UndercodeUpdate

    18 Oct 2025

    116 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🚨 Vulnerabilidad crítica en https://t.co/ANjMDS9MqA Core web server ⚠️ CVE-2025-55315 https://t.co/WjRMgHovTq

    @elhackernet

    18 Oct 2025

    2372 Impressions

    4 Retweets

    15 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  43. 🚨 مایکروسافت خطرناک‌ترین باگ تاریخ #ASP_NET_Core را پچ کرد! باگ CVE-2025-55315 در وب‌سرور Kestrel اجازه می‌داد مهاجمان درخواست‌های HTTP را مخفیانه تزریق کنند و به داده‌

    @vulnerbyte

    18 Oct 2025

    96 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  44. Microsoft patches critical https://t.co/PGRGNLeuSX Core flaw CVE-2025-55315 affecting Kestrel server that risks credential theft and server breaches. Updates advised for .NET 8, 2.3, and related apps. #ASPNetCore #MicrosoftPatch #USA https://t.co/IbHpQvocOC

    @TweetThreatNews

    17 Oct 2025

    98 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. مایکروسافت این هفته آسیب‌پذیری با بالاترین درجه شدت تاریخ ASP .NET Core را ترمیم کرد. این باگ قاچاق درخواست HTTP (CVE-2025-55315) در وب سرور Kestrel ASP .NET Core کشف شد و به مهاجم

    @Teeegra

    17 Oct 2025

    1455 Impressions

    0 Retweets

    26 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  46. Microsoft assigns highest ever severity score (9.9) to an HTTP request smuggling flaw in https://t.co/PGRGNLeuSX Core's Kestrel server (CVE-2025-55315). Patches released to prevent session hijacking and data leaks. #ASPNetCore #KestrelServer #USA https://t.co/B47dqzS2yP

    @TweetThreatNews

    17 Oct 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. CVE-2025-55315, a 9.9 HTTP smuggling vulnerability in dotnet Kestrel webserver disclosed this week, caught my attention this morning due to lack of information, so I put together a very limited analysis of it. https://t.co/9y5CH2qezK More to be done here for those interested!

    @7urb01

    16 Oct 2025

    6072 Impressions

    14 Retweets

    84 Likes

    38 Bookmarks

    0 Replies

    0 Quotes

  48. 🚨 https://t.co/wYRWE2eQNj Core HTTP BYPASS — CVE-2025-55315! Patch https://t.co/iYrMleF7I8.Runtime / Kestrel NOW. If you can’t patch immediately, limit public exposure (WAF / isolate services), monitor HTTP/3/request anomalies, and check logs. 📷 https://t.co/nu4bsU2KIQ

    @vulert_official

    15 Oct 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.