Critical Request Smuggling Vulnerability in ASP.NET Core Kestrel Web Server

Microsoft has addressed a critical security vulnerability in the Kestrel web server component of ASP.NET Core, tracked as CVE-2025-55315, which received a CVSS severity score of 9.9—the highest ever assigned by Microsoft to a flaw in this framework. The vulnerability enables HTTP request smuggling, a technique where an attacker can embed a malicious request within a legitimate one, potentially bypassing authentication and other security controls. This flaw affects all currently supported versions of ASP.NET Core, including versions 8, 9, and 10, as well as the older ASP.NET Core 2.3 running on the Windows-only .NET Framework. According to Microsoft’s security advisory, the vulnerability allows authenticated attackers to exploit inconsistent HTTP request interpretation, leading to the bypass of security features over a network. Security program manager Barry Dorrans explained that a successful attack could allow an adversary to log in as a different user, circumvent cross-site request forgery (CSRF) protections, or perform injection attacks. The actual risk posed by this vulnerability is highly dependent on the specific application code and deployment configuration, with the most severe outcomes occurring in applications that do not properly validate or handle HTTP requests. Dorrans emphasized that while the vulnerability is serious, the likelihood of exploitation is reduced if applications are well-designed and if reverse proxies or gateways are used to filter out smuggled requests. The high CVSS score reflects the potential for a security feature bypass that changes the scope of access, rather than the likelihood of exploitation in all environments. Developers have sought clarification on what constitutes vulnerable application code, but Microsoft has indicated that any application performing authentication or access control based on HTTP requests could be at risk if not properly secured. Kestrel is widely used as the default web server for ASP.NET Core applications, both behind reverse proxies and as a direct-facing server, increasing the potential exposure. Microsoft’s patch addresses the underlying issue in Kestrel, and organizations are urged to apply updates promptly to mitigate the risk. The vulnerability highlights the importance of secure coding practices and the need for defense-in-depth measures, such as using reverse proxies to sanitize incoming requests. Security teams should review their ASP.NET Core deployments, especially those directly exposing Kestrel to the internet, to ensure they are not susceptible to request smuggling attacks. The incident underscores the evolving complexity of web application security and the critical role of timely patch management. Microsoft’s response demonstrates a commitment to transparency and rapid remediation for high-severity vulnerabilities in its ecosystem. Organizations leveraging ASP.NET Core should remain vigilant for further advisories and best practice recommendations from Microsoft and the broader security community.