CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-55315

CVSS 9.9v3.1pub. 2025-10-14upd. 2025-10-28

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

🤖 AI Analysis
How it works

The vulnerability results from inconsistent interpretation of HTTP requests (CWE-444) by ASP.NET Core components. An attacker sends crafted HTTP requests that are parsed differently by the front-end and back-end servers, causing a discrepancy in the delineation of request boundaries. This makes it possible to smuggle additional HTTP requests that bypass security controls applied by intermediate infrastructure layers (e.g., reverse proxy, web application firewalls). The attack vector is network-based, requires no user interaction, and only requires basic privileges (PR:L) to execute.

Impact

An authenticated attacker can bypass application security features, which in the context of HTTP request smuggling can lead to unauthorized data access, session hijacking of other users, or further privilege escalation. High impact on confidentiality and integrity (C:H, I:H) indicates the possibility of sensitive data disclosure and modification of application resources.

Mitigation & patch

Apply patches available from the vendor according to the references — the update should be deployed immediately due to the critical threat level. Detailed information about versions containing the fix is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315. Until the patch is deployed, consider restrictive configuration of proxy layers and web application firewalls to limit the possibility of request smuggling.

Who is affected

Microsoft Visual Studio 2022 and Microsoft ASP.NET Core — specific versions indicated in vendor references (MSRC).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
  • Microsoft Asp.net Core

    APP
    Microsoft
    2.3.0 – 2.3.6 (bez)8.0.0 – 8.0.21 (bez)9.0.0 – 9.0.10 (bez)
  • Microsoft Visual Studio 2022

    APP
    Microsoft
    17.10.0 – 17.10.20 (bez)17.12.10 – 17.12.13 (bez)17.14.0 – 17.14.17 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-40372CRITICAL9.1PL ✓ten sam produkt

ASP.NET Core — błąd weryfikacji podpisu kryptograficznego umożliwia privilege escalation

CVE-2024-43498CRITICAL9.8PL ✓ten sam produkt

RCE w .NET i Visual Studio — krytyczna podatność umożliwiająca zdalne wykonanie kodu

CVE-2024-0057CRITICAL9.1PL ✓ten sam produkt

Podatność omijania funkcji bezpieczeństwa w .NET, .NET Framework i Visual Studio

CVE-2023-38180HIGH7.5⚠ KEVten sam produkt

.NET and Visual Studio Denial of Service Vulnerability

CVE-2026-45591HIGH7.5ten sam produkt

Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a netwo...