Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
The vulnerability results from inconsistent interpretation of HTTP requests (CWE-444) by ASP.NET Core components. An attacker sends crafted HTTP requests that are parsed differently by the front-end and back-end servers, causing a discrepancy in the delineation of request boundaries. This makes it possible to smuggle additional HTTP requests that bypass security controls applied by intermediate infrastructure layers (e.g., reverse proxy, web application firewalls). The attack vector is network-based, requires no user interaction, and only requires basic privileges (PR:L) to execute.
An authenticated attacker can bypass application security features, which in the context of HTTP request smuggling can lead to unauthorized data access, session hijacking of other users, or further privilege escalation. High impact on confidentiality and integrity (C:H, I:H) indicates the possibility of sensitive data disclosure and modification of application resources.
Apply patches available from the vendor according to the references — the update should be deployed immediately due to the critical threat level. Detailed information about versions containing the fix is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315. Until the patch is deployed, consider restrictive configuration of proxy layers and web application firewalls to limit the possibility of request smuggling.
Microsoft Visual Studio 2022 and Microsoft ASP.NET Core — specific versions indicated in vendor references (MSRC).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LMicrosoft Asp.net Core
APPMicrosoft2.3.0 – 2.3.6 (bez)8.0.0 – 8.0.21 (bez)9.0.0 – 9.0.10 (bez)Microsoft Visual Studio 2022
APPMicrosoft17.10.0 – 17.10.20 (bez)17.12.10 – 17.12.13 (bez)17.14.0 – 17.14.17 (bez)
Related vulnerabilities
ASP.NET Core — błąd weryfikacji podpisu kryptograficznego umożliwia privilege escalation
RCE w .NET i Visual Studio — krytyczna podatność umożliwiająca zdalne wykonanie kodu
Podatność omijania funkcji bezpieczeństwa w .NET, .NET Framework i Visual Studio
.NET and Visual Studio Denial of Service Vulnerability
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a netwo...