Wiz
Vulnerability DatabaseCVE-2025-55315

CVE-2025-55315
C# vulnerability analysis and mitigation

Overview

CVE-2025-55315 is a critical security vulnerability in ASP.NET Core that involves HTTP request/response smuggling. The vulnerability was discovered and disclosed on October 14, 2025, affecting multiple versions of ASP.NET Core, including versions 8.0.0-8.0.20, 9.0.0-9.0.9, and 10.0.0-rc2. Microsoft assigned it their highest-ever CVSS score of 9.9, indicating its severe nature (Andrew Lock Blog, NVD).

Technical details

The vulnerability stems from inconsistent interpretation of HTTP requests, specifically in how chunk extensions in Transfer-Encoding: chunked requests are handled. The issue occurs when there's an invalid line ending in a chunk extension header, where ASP.NET Core's Kestrel server processes these requests differently than proxy servers, leading to request smuggling opportunities. The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) and received a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L (NVD, Andrew Lock Blog).

Impact

The vulnerability allows an authorized attacker to bypass security features over a network, potentially leading to multiple severe consequences. These include the ability to bypass CSRF checks, perform injection attacks, make internal requests (SSRF), login as different users, and exfiltrate authentication credentials or other sensitive data from client requests. The impact is particularly severe in applications that handle authentication or process sensitive user data (Andrew Lock Blog).

Mitigation and workarounds

Microsoft has released patches for all supported versions of ASP.NET Core. Users should update to .NET 8.0.21, .NET 9.0.10, or .NET 10.0.0-rc2 or later versions. For ASP.NET Core 2.3 on .NET Framework, users should update to Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.6. Applications running on Azure App Services are protected by their proxy layer, even without updates. For systems that cannot be immediately updated, using HTTP/2 or HTTP/3 protocols can provide protection as they don't support chunked transfer encoding (Andrew Lock Blog).

Additional resources

SourceThis report was generated using AI

Related C# vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-64095CRITICAL9.8
  • C#C#
  • DNN.PLATFORM
NoYesOct 28, 2025
CVE-2025-62594MEDIUM5.5
  • C#C#
  • Magick.NET-Q8-OpenMP-x64
NoYesOct 27, 2025
CVE-2025-64094MEDIUM5.4
  • C#C#
  • DotNetNuke.Core
NoYesOct 28, 2025
CVE-2025-65955MEDIUM4.9
  • C#C#
  • ImageMagick-perl
NoYesDec 02, 2025
CVE-2025-62802MEDIUM4.3
  • C#C#
  • Dnn.Platform
NoYesOct 28, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo