About:
CVE-2025-55315 is a critical HTTP request smuggling vulnerability in ASP.NET Core that allows attackers to bypass authentication and security controls through inconsistent header parsing.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
ASP.NET Core HTTP Request Smuggling (Security Feature Bypass)
CVSS Score: 9.9 (CVSS v3.1)
Identifier: CVE-2025-55315
Exploit or Proof of Concept (PoC): Yes
Update: The official Microsoft advisory and update guidance are available here
Description:
CVE-2025-55315 is a critical HTTP request smuggling vulnerability in the ASP.NET Core web server. The flaw occurs because of improper parsing of HTTP headers when handling client requests, which may differ from how upstream devices (such as reverse proxies, load balancers, or WAFs) interpret the same requests. This parsing discrepancy allows a malicious actor to inject or "smuggle" secondary HTTP requests that bypass authentication, input validation, or other application-layer security features.
Exploitation can lead to data exposure, unauthorized access, cache poisoning, or complete compromise of backend applications, depending on the deployment configuration.
Mitigation Recommendation:
Apply the Microsoft updates immediately for all affected .NET and ASP.NET Core versions as detailed in the official advisory. Rebuild and redeploy affected applications after updating.
Ensure that front-end proxies, load balancers, and Kestrel servers are configured with consistent HTTP protocol versions and header-handling rules. Avoid mixed usage of HTTP/1.1 and HTTP/2 without proper normalization.
Implement strict HTTP request validation at the edge. Reject ambiguous or malformed requests and remove duplicate or conflicting headers such as "Content-Length" and "Transfer-Encoding."
Limit request sizes, enforce strict timeout and connection re-use policies, and use HTTP/2 or HTTP/3 where appropriate to reduce smuggling exposure.
Monitor server and proxy logs for anomalies such as multiple responses per request, unexpected session continuation, or mismatched request counts between edge and backend servers.
Upgrade or replace unsupported .NET runtimes with actively supported versions and retest all web applications after patching.
Apply additional web application firewall (WAF) rules to detect and block suspicious or malformed HTTP traffic indicative of request smuggling behavior.