By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-55315

Inconsistent Interpretation of HTTP Requests
Affects
ASP.NET Core Runtime, Microsoft.AspNetCore.Server.Kestrel.Core
in
.NET
No items found.
Versions
ASP.NET Core: >= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.20 >= 9.0.0 <= 9.0.9 <= 10.0.0-rc.1 Microsoft.AspNetCore.Server.Kestrel.Core: <= 2.3.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. ASP.NET Core extends the .NET developer platform with tools and libraries specifically for building web apps. ASP.NET Core is the open-source version of ASP.NET, that runs on macOS, Linux, and Windows. ASP.NET Core was first released in 2016 and is a re-design of earlier Windows-only versions of ASP.NET.

CVE-2025-55315 is a vulnerability that involves inconsistent interpretation of HTTP requests in ASP.NET Core and Microsoft.AspNetCore.Server.Kestrel.Core, enabling a sophisticated attack known as HTTP Request Smuggling. While HTTP Request Smuggling in ASP.NET Core is a moderate-level threat, Microsoft's high 9.9 CVSS score reflects a deeper concern, which is the potential impact on applications built on top of ASP.NET Core, which can be exploited using HTTP Request Smuggling, which could include user spoofing (allowing escalation of privilege), server-side request forgery, bypassing cross-site forgery security protections, and injection attacks.

Per MITRE, CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) occurs when intermediary HTTP agents—such as load balancers, proxies, or firewalls—parse malformed or ambiguous HTTP messages differently than the end client or server. This mismatch, often caused by conflicting headers like Transfer-Encoding and Content-Length or outdated protocol handling, allows attackers to “smuggle” hidden requests past intermediaries. These smuggled messages can then be used to inject or alter content presented under a trusted domain, similar to OWASP’s description of content spoofing or virtual defacement. In essence, inconsistent HTTP parsing enables attackers to manipulate how requests are interpreted, highlighting the need for strict request validation and consistent protocol enforcement across all HTTP components.

This issue affects ASP.NET Core 6.0.0 <= 6.0.36, 8.0.0 <= 8.0.20, 9.0.0 <= 9.0.9 and Microsoft.AspNetCore.Server.Kestrel.Core <= 2.3.0. 

Additionally, if you've deployed self-contained .NET applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Details

Module Info

  • Product: 
    • Any ASP.NET 6.0 application running on .NET 6.0.36 or earlier.
    • Any ASP.NET 8.0 application running on .NET 8.0.20 or earlier.
    • Any ASP.NET 9.0 application running on ASP.NET 9.0.9 or earlier.
    • Any ASP.NET 10.0 application running on ASP.NET 10.0.0-rc.1.25451.107 or earlier.
    • Any .NET application consuming the package Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.0 or earlier.
  • Affected packages: 
    • Microsoft.AspNetCore.App.Runtime.linux-arm
    • Microsoft.AspNetCore.App.Runtime.linux-arm64
    • Microsoft.AspNetCore.App.Runtime.linux-musl-arm
    • Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
    • Microsoft.AspNetCore.App.Runtime.linux-musl-x64
    • Microsoft.AspNetCore.App.Runtime.linux-x64
    • Microsoft.AspNetCore.App.Runtime.osx-arm64
    • Microsoft.AspNetCore.App.Runtime.osx-x64
    • Microsoft.AspNetCore.App.Runtime.win-arm
    • Microsoft.AspNetCore.App.Runtime.win-arm64
    • Microsoft.AspNetCore.App.Runtime.win-x64
    • Microsoft.AspNetCore.App.Runtime.win-x86
    • Microsoft.AspNetCore.Server.Kestrel.Core
  • Affected versions: 
    • ASP.NET Core:
      • >= 6.0.0 <= 6.0.36
      • >= 8.0.0 <= 8.0.20
      • >= 9.0.0 <= 9.0.9
      • <= 10.0.0-rc.1
    • Microsoft.AspNetCore.Server.Kestrel.Core
      • <= 2.3.0
  • GitHub repository: 
  • Published packages: Download .NET (Linux, macOS, and Windows)
  • Package manager: 
    • Nuget
    • Windows Installer
    • Docker
  • Fixed in: NES for .NET v6.0.39

Credits

  • Sid

Mitigation

ASP.NET 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to one of:
    • ASP.NET Runtime >= 8.0.21
    • ASP.NET Runtime >= 9.0.9
    • ASP.NET Runtime >= 10.0.0-rc.2
    • .NET SDK >= 8.0.318
    • .NET SDK >= 9.0.111
    • .NET SDK >= 10.0.100-rc.2.
    • Microsoft.AspNetCore.Server.Kestrel.Core >= 2.3.6
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-35264
CVE-2024-38229
CVE-2025-21172
CVE-2025-21173
CVE-2025-21176
CVE-2025-24070
CVE-2025-7326
CVE-2025-55315
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-55315
PROJECT Affected
ASP.NET Core Runtime, Microsoft.AspNetCore.Server.Kestrel.Core
Versions Affected
ASP.NET Core: >= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.20 >= 9.0.0 <= 9.0.9 <= 10.0.0-rc.1 Microsoft.AspNetCore.Server.Kestrel.Core: <= 2.3.0
Published date
October 17, 2025
≈ Fix date
October 17, 2025
Fixed in
NES for .NET
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
Category
Inconsistent Interpretation of HTTP Requests
Sign up for the latest vulnerability alerts fixed in
NES for .NET
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.