Microsoft disclosed a critical vulnerability (CVE-2025-55315) in ASP.NET Core on October 14, 2025, which carries a CVSS score of 9.9. This flaw arises from improper handling of HTTP requests in the Kestrel server, allowing authenticated attackers to exploit the vulnerability to escalate privileges and potentially access sensitive data.
The vulnerability enables HTTP request smuggling, a technique that takes advantage of parsing inconsistencies between front-end proxies and back-end servers. Attackers can send requests with ambiguous headers to trick the system into executing unauthorized actions. The flaw affects all supported ASP.NET Core versions, including 8.0, 9.0, and 10.0 previews, particularly for applications using reverse proxies like NGINX. It poses significant risks to applications reliant on ASP.NET for authentication and authorization. Microsoft recommends immediate patching and code audits for affected applications.
👉 Pročitaj original: Cyber Security News
