A Must-Patch for Web ApplicationsMicrosoft has published a security advisory addressing a critical flaw (CVE‑2025‑55315) in its ASP.NET Core framework. The vulnerability, which affects the Kestrel web server component, allows attackers to perform HTTP request smuggling that can bypass security controls, access sensitive data, and potentially escalate privileges.
How the Vulnerability Works
- The flaw arises due to inconsistent parsing of HTTP headers such as Content-Length and Transfer-Encoding between front-end proxies (e.g., load balancers) and the backend Kestrel server.
- An attacker sends a specially crafted HTTP request that contains a hidden or smuggled second request. Because of the parsing discrepancy, the second request reaches the application logic while bypassing security checks.
- The vulnerability affects multiple ASP.NET Core versions, including 8.0, 9.0, and 10.0 previews. Systems using reverse proxies like NGINX or Azure Front Door in front of Kestrel are especially at risk.
- The base severity score is 9.9 (CVSS v3.1)-highlighting the high impact in worst-case configurations.
Why This Is Important
For web applications built on ASP.NET Core, this vulnerability represents a serious threat:
- It enables bypass of authentication or authorization mechanisms through smuggled requests.
- It can allow session hijacking, unauthorized access, or manipulation of backend services if the application logic does not anticipate such bypasses.
- The framework is used extensively across industries, meaning large-scale exposure for organizations relying on ASP.NET for web services.
- Even if the vulnerability is not yet known to be actively exploited in the wild, the combination of low complexity and high impact demands urgent remediation.
Immediate Actions to Take
- Patch ASP.NET Core immediately – install the updates provided by Microsoft for all affected versions.
- Review your proxy and load-balancer configuration – ensure your front-end and backend parsing logic aligns when handling Content-Length and Transfer-Encoding headers.
- Deploy request-normalisation rules – make sure proxies reject ambiguous or malformed header combinations that could facilitate smuggling.
- Audit your applications – look for endpoints that rely on header validation, request routing or dynamic content access; treat them as higher risk.
- Monitor logs for anomalous traffic – unusual header patterns, unexpected secondary requests or bypass of standard paths should trigger alerts.
- Strengthen defence-in-depth – enable Web Application Firewalls (WAFs), runtime application monitoring, and enforce least-privilege access controls in application logic.