Critical HTTP Smuggling Flaw Patched in Microsoft ASP.NET Core Kestrel

Microsoft has patched a critical vulnerability in the Kestrel web server for ASP.NET Core, tracked as CVE-2025-55315. Classified as an HTTP Request Smuggling flaw, it enables an authenticated attacker to “inject” additional requests into a valid session, potentially hijacking user sessions or bypassing external security filters. According to Microsoft’s advisory, successful exploitation may lead to the exfiltration of sensitive data — including user credentials — unauthorized modification of server files, or even a service crash, affecting overall resource availability.

To remediate the flaw, Microsoft has issued specific guidance for each platform version and deployment method. Users running .NET 8 or later should install the update via Microsoft Update, then restart the application or system. For ASP.NET Core 2.3, developers must update the Microsoft.AspNet.Server.Kestrel.Core package to version 2.3.6, rebuild the project, and redeploy it. Documentation further specifies that for the 2.x branch, the Microsoft.AspNetCore.Server.Kestrel.Core package must also be updated, followed again by recompilation and redeployment. For self-contained or single-file applications, the process is the same: install the framework update, rebuild, and reinstall executables. Concurrently, Microsoft released security patches for Visual Studio 2022, and for ASP.NET Core versions 2.3, 8.0, and 9.0.

According to Barry Dorrans, .NET Security Program Manager, the impact of exploitation depends on each web application’s architecture. In theory, the flaw could allow an attacker to impersonate another user, trigger internal SSRF requests, bypass CSRF protections, or execute injection attacks. The vulnerability was rated under a worst-case scenario, categorized as a security feature bypass, meaning it compromises built-in protection mechanisms. Although the likelihood of exploitation in well-validated applications remains low, Microsoft strongly urges all users to apply the patch without delay.

The October Patch Tuesday cycle proved especially extensive: Microsoft addressed 172 vulnerabilities, including eight critical issues and six zero-days, three of which were already being actively exploited in the wild. The company also released KB5066791, a cumulative update delivering the final security patches for Windows 10, marking the end of its official support lifecycle.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy