CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

CVE-2025-55315 is an HTTP request smuggling bug leading to information leaks, file content tampering, and server crashes. The post ‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability appeared first on SecurityWeek.

ASP.NET vulnerability

Microsoft’s October Patch Tuesday updates addressed a critical-severity vulnerability in the ASP.NET Core open source web development framework.

Tracked as CVE-2025-55315, the flaw has a CVSS score of 9.9, which .NET security program manager Barry Dorrans says was the “highest ever” for an ASP.NET Core issue.

The issue is described as an HTTP request smuggling bug that could be used to bypass a security feature over the network. It was discovered in Kestrel, ASP.NET Core’s built-in web server.

Essentially, the security defect allows attackers to trigger various application behaviors by hiding an HTTP request in another request.

“An attacker who successfully exploited this vulnerability could smuggle another HTTP request and bypass front-end security controls or hijack other users’ credentials,” Microsoft explains.

The tech giant says the vulnerability can be exploited to leak sensitive information such as user credentials, tamper with file contents, or cause a denial-of-service (DoS) condition by forcing a crash within the server.

“In this case, the vulnerable component and the impacted component are different and managed by different security authorities,” Microsoft notes.

According to Dorrans, while the issue was identified in ASP.NET Core, its actual impact differs based on how the applications have been built.

Attackers, Dorrans explains, can exploit the flaw to log in as another user, make internal requests, bypass CSRF checks, and perform injection attacks.

Software that performs actions involving requests could prove problematic, applications that only append to logs and do not handle authentication may miss log entries, while those performing authentication based on specific rules may be targeted for elevation of privilege.

“Thus, we score with the worst possible case in mind, a security feature bypass which changes scope. Is that likely? No, probably not unless your application code is doing something odd and skips a bunch of checks that it ought to be making on every request,” Dorrans says.

Microsoft addressed the vulnerability with updates for Microsoft Visual Studio 2022 versions 17.14, 17.12, and 17.10, and for ASP.NET Core versions 2.3, 8.0, 9.0, and 10.0 RC1. It also released Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.6 with fixes for the bug.

Related: Gladinet Patches Exploited CentreStack Vulnerability

Related: Vulnerabilities Allow Disruption of Phoenix Contact UPS Devices

Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones

Related: Malicious Code on Unity Website Skims Information From Hundreds of Customers

Latest News

CYBERNEWSMEDIAPublisher