CVE-2025-55315
ASP.NET Security Feature Bypass Vulnerability
In short
ASP.NET Core has a flaw that lets an authorized attacker send specially crafted HTTP requests to trick the server into processing malicious data that should have been blocked, bypassing built-in security protections.
Technical detail
HTTP request smuggling vulnerability in ASP.NET Core due to inconsistent interpretation of HTTP requests between the application and intermediate components. An authorized attacker can exploit this to bypass security features; the attack requires network access but no elevated privileges beyond basic authorization.
Summary generated and translated by AI from the official description.
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C
Affected products
Microsoft · ASP.NET Core 2.3Microsoft · ASP.NET Core 8.0Microsoft · ASP.NET Core 9.0Microsoft · Microsoft Visual Studio 2022 version 17.10Microsoft · Microsoft Visual Studio 2022 version 17.12Microsoft · Microsoft Visual Studio 2022 version 17.14public PoCs found — 6
githubgithub.com/sirredbeard/CVE-2025-55315-repro★ 47githubgithub.com/ZemarKhos/CVE-2025-55315-PoC-Exploit★ 8githubgithub.com/MartinFabianIonut/CVE-2025-55315★ 1githubgithub.com/NetVanguard-cmd/CVE-2025-55315★ 0cve_referencegist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040unverifiedexploitdbwww.exploit-db.com/exploits/52492unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →