- Microsoft patched a critical ASP.NET Core vulnerability rated 9.9 out of 10.
- The flaw allows attackers to smuggle hidden HTTP requests into legitimate ones.
- Exploits could lead to credential theft, file tampering, or full server crashes.
- Developers are urged to install the latest .NET and Visual Studio updates immediately.
Microsoft has rolled out a critical fix for one of its most serious security issues to date. The company confirmed it recently patched an HTTP request smuggling vulnerability in its ASP.NET Core platform. Tracked as CVE-2025-55315, this flaw received a near-perfect severity score of 9.9 out of 10.
Security experts say this is one of the most dangerous bugs ever reported in the ASP.NET Core framework. The flaw affects Kestrel, the built-in web server that powers many .NET-based web applications. If left unpatched, attackers could potentially steal credentials, modify files, or even crash entire servers.
How the Vulnerability Works
The bug is described as an HTTP request smuggling flaw. In simple terms, it allows an attacker to sneak a hidden or “smuggled” request inside another legitimate one. This happens when different parts of a web system — such as a proxy and a web server — interpret an incoming request in slightly different ways.
That difference in interpretation opens the door for attackers to bypass important security checks. By crafting a specially formatted HTTP request, they can make the system process unauthorized commands without being detected.
Microsoft explained that a successful attack could expose sensitive data, including user login credentials. Attackers might also change files stored on the server, disrupt running applications, or cause a complete system crash. In other words, the flaw threatens confidentiality, integrity, and availability all at once.
Microsoft’s Response and Fixes
Microsoft acted quickly once the vulnerability was discovered. Updates have been released for several versions of .NET and Visual Studio, as well as specific ASP.NET Core releases.
Users running .NET 8 or later are advised to install the latest .NET update directly from Microsoft Update. Those still using .NET 2.3 should update the package reference for Microsoft.AspNet.Server.Kestrel.Core to version 2.3.6. After updating, developers must recompile and redeploy their applications to ensure full protection.
For anyone running self-contained or single-file applications, the process is similar: install the update, recompile, and redeploy. Microsoft has also issued patches for Visual Studio 2022 and multiple ASP.NET Core branches, including versions 2.3, 8.0, and 9.0.
A Word of Caution from Microsoft’s Security Team
Barry Dorrans, a technical program manager on Microsoft’s .NET security team, commented on the unusual scoring of this flaw. He explained that while the official severity rating is extremely high, the real-world risk depends heavily on how each application is built.
“We don’t know exactly what’s possible because it depends on how you’ve written your app,” he noted. “The score is based on the worst-case scenario, where an attacker can bypass a security feature or change the scope of the attack.”
That uncertainty is what prompted Microsoft to rate the vulnerability so high. By taking a cautious approach, the company aims to ensure that developers treat the issue seriously, regardless of how their web servers are configured.
Why This Matters
HTTP request smuggling attacks are relatively rare but notoriously difficult to detect. They can slip past firewalls, proxies, and even some modern security tools. Because of that, Microsoft’s patch is being viewed as one of the most important updates in recent years for web developers using the .NET ecosystem.
Organizations that rely on ASP.NET Core for web services, APIs, or enterprise platforms are strongly encouraged to install the latest updates immediately. Delaying the fix could leave servers open to silent exploitation.
Cybersecurity professionals also recommend regular testing for HTTP desynchronization and similar vulnerabilities. Even small configuration mistakes in web servers or load balancers can open pathways for smuggling attacks.
Microsoft’s quick response shows how seriously the company is treating threats that impact its widely used development platforms. The patch not only addresses a high-impact flaw but also highlights the ongoing need for developers to keep their build environments and dependencies up to date.
Follow TechBSB For More Updates
