Microsoft kills 9.9-rated ASP.NET Core bug – ‘our highest ever’ score
Summary
Microsoft has patched a critical vulnerability in ASP.NET Core’s built-in Kestrel web server that received a CVSS score of 9.9 — described by Microsoft security programme manager Barry Dorrans as “our highest ever.” The flaw (CVE-2025-55315) is a request-smuggling issue that can hide an extra HTTP request inside another, potentially allowing authentication bypasses, CSRF circumvention and injection attacks depending on hosting and application logic.
Key Points
- CVE-2025-55315 is a request-smuggling vulnerability in Kestrel, rated CVSS 9.9 by Microsoft.
- The bug can hide an extra request inside a normal one, which may let attackers perform actions that should be protected by authentication or CSRF checks.
- Actual impact varies: reverse proxies or gateways that strip smuggled requests can mitigate risk; vulnerable outcomes depend on how an application handles requests and authentication.
- All supported ASP.NET Core versions are affected (including 8, 9 and 10 prerelease, plus older 2.3). Patch by updating the .NET SDK or the Kestrel.Core NuGet package (2.3.6); framework-dependent deployments require server runtime updates while self-contained apps must be rebuilt and redeployed.
- Microsoft reports no known exploitation to date but urges administrators and developers to evaluate their exposure and apply fixes promptly.
Content Summary
The vulnerability exists in the Kestrel web server and enables request smuggling: an attacker can send a specially crafted request that conceals an additional request. That hidden request might perform privileged actions if the application trusts the initial request context or skips checks. Dorrans noted the severity rating reflects a worst-case scenario where a security feature is bypassed and scope is changed, not necessarily the common case for every app.
Microsoft’s guidance: update the .NET SDK or the Kestrel.Core package via NuGet to the patched versions. For framework-dependent deployments, the server runtime must be patched; for self-contained deployments, each app must be rebuilt with the updated runtime. There are no confirmed in-the-wild exploits so far.
Context and Relevance
This is significant for organisations and developers that run ASP.NET Core services — Kestrel is widely used both directly and behind proxies. The story underlines two ongoing trends: (1) critical bugs can be long-standing across multiple framework versions, and (2) CVSS scores can reflect worst-case scenarios, which may cause confusion about real-world impact. System owners must check hosting topology (reverse proxy vs directly exposed Kestrel) and application authentication logic to assess exposure.
Author style
Punchy: This patch matters. If you maintain ASP.NET Core services, treat it like a red alert — test and deploy the updates, and check whether your app logic relies on assumptions that could be abused by a smuggled request.
Why should I read this?
Short version: if you run or host ASP.NET Core apps, you need to know about this so you can patch or confirm you’re safe. We’ve read the detail and pulled out the actions — save yourself the time and get the fixes in place.