Microsoft kills 9.9-rated ASP.NET Core bug – ‘our highest ever’ score
Microsoft has patched an ASP.NET Core vulnerability with a CVSS score of 9.9, which security program manager Barry Dorrans said was “our highest ever.” The flaw is in the Kestrel web server component and enables security bypass.
The issue, called request smuggling, enables an extra request to be hidden inside another one, including cases where the first request does not require authentication, but the smuggled one normally would.
Dorrans explained that the smuggled request could perform actions such as logging in as a different user, bypassing cross-site request forgery checks, or performing injection attacks. The risks, he said, depend on how the application is written, and the bad outcomes are not likely “unless your application code is doing something odd and skips a bunch of checks it ought to be making on every request.”
The high CVSS rating for CVE-2025-55315 has caused some confusion. On its own for ASP.NET Core, Dorrans said, the rating would be “nowhere near that high,” but Microsoft scores for the worst case – “a security feature bypass which changes scope.”
Developers asking Dorrans exactly what would constitute vulnerable application code were given noncommittal answers. “Anything that does something with a request could be problematic,” he said, and “an app that does authentication and has access rules based on the authentication may be vulnerable.” He added that this is personal opinion rather than an official statement.
Kestrel is the ASP.NET Core built-in web server and is widely used, sometimes behind a reverse proxy, and sometimes more directly exposed. If a gateway or proxy removes smuggled requests, the application is protected, Dorrans said.
The cautious approach is to patch as soon as possible, but he advised that “only you can evaluate the risks to your application.”
The vulnerability appears to be longstanding and affects all supported versions of ASP.NET Core, including versions 8, 9, and the 10 pre-release, and even ASP.NET Core 2.3, which runs on the Windows-only .NET Framework. Developers can patch the .NET SDK by downloading the latest version, or update to the latest version of the Kestrel.Core package (2.3.6) via the NuGet package manager.
A complication is that many applications are deployed using what is called the framework-dependent model, relying on the .NET environment on the server. In this case, it is the server that must be updated, not the application. This dependency can be bypassed using a self-contained deployment, which includes the runtime files, but every such application must then be updated.
Microsoft’s official report states that the vulnerability is not known to be exploited. ®
READ MORE HERE

