vulnerability
Microsoft ASP.NET: CVE-2025-55315: HTTP Request Smuggling Vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:P) | Oct 14, 2025 | Feb 6, 2026 | Feb 6, 2026 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:P)
Published
Oct 14, 2025
Added
Feb 6, 2026
Modified
Feb 6, 2026
Description
A critical vulnerability exists in the ASP.NET Core Kestrel web server due to an inconsistent interpretation of HTTP requests (Request Smuggling). The flaw stems from improper validation of chunked transfer encoding extensions and newline handling.
An authenticated attacker can exploit this discrepancy between a reverse proxy (like Nginx, HAProxy, or Azure Front Door) and the backend Kestrel server to "smuggle" a hidden request within a legitimate one. Successfully exploiting this allows bypassing security features such as authentication, authorization, and CSRF checks.
Solutions
microsoft-asp-net-upgrade-8_0_21microsoft-asp-net-upgrade-9_0_10microsoft-kestrel-upgrade-2_3_6microsoft-asp-net-eol-upgrade-6_0
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.