CVE-2025-55315: 
C# 脆弱性の分析と軽減

CVE-2025-55315 is a critical security vulnerability in ASP.NET Core that involves HTTP request/response smuggling. The vulnerability was discovered and disclosed on October 14, 2025, affecting multiple versions of ASP.NET Core, including versions 8.0.0-8.0.20, 9.0.0-9.0.9, and 10.0.0-rc2. Microsoft assigned it their highest-ever CVSS score of 9.9, indicating its severe nature (Andrew Lock Blog, NVD).

The vulnerability stems from inconsistent interpretation of HTTP requests, specifically in how chunk extensions in Transfer-Encoding: chunked requests are handled. The issue occurs when there's an invalid line ending in a chunk extension header, where ASP.NET Core's Kestrel server processes these requests differently than proxy servers, leading to request smuggling opportunities. The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) and received a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L (NVD, Andrew Lock Blog).

The vulnerability allows an authorized attacker to bypass security features over a network, potentially leading to multiple severe consequences. These include the ability to bypass CSRF checks, perform injection attacks, make internal requests (SSRF), login as different users, and exfiltrate authentication credentials or other sensitive data from client requests. The impact is particularly severe in applications that handle authentication or process sensitive user data (Andrew Lock Blog).

Microsoft has released patches for all supported versions of ASP.NET Core. Users should update to .NET 8.0.21, .NET 9.0.10, or .NET 10.0.0-rc2 or later versions. For ASP.NET Core 2.3 on .NET Framework, users should update to Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.6. Applications running on Azure App Services are protected by their proxy layer, even without updates. For systems that cannot be immediately updated, using HTTP/2 or HTTP/3 protocols can provide protection as they don't support chunked transfer encoding (Andrew Lock Blog).