CVE-2025-24070

Weak Authentication
Affects
ASP.NET Core Runtime; Microsoft.AspNetCore.Identity
ASP.NET Core: >= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.13 >= 9.0.0 <= 9.0.2 Microsoft.AspNetCore.Identity: <= 2.3.0
in
.NET
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. ASP.NET Core extends the .NET developer platform with tools and libraries specifically for building web apps. ASP.NET Core is the open-source version of ASP.NET, that runs on macOS, Linux, and Windows. ASP.NET Core was first released in 2016 and is a re-design of earlier Windows-only versions of ASP.NET.

A vulnerability (CVE-2025-24070) exists in applications using ASP.NET Core and Microsoft.AspNetCore.Identity Nuget Package when calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege. 

Per CWE-1390: Weak Authentication, Weak Authentication is defined as a product using an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

This issue affects ASP.NET Core 6.0.0 <= 6.0.36, 8.0.0 <= 8.0.13, 9.0.0 <= 9.0.2 and  Microsoft.AspNetCore.Identity <= 2.3.0. 

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Details

Module Info

  • Product: Any ASP.NET Core application running on:
    • Any ASP.NET Core 6.0 application running on ASP.NET Core 6.0.36 or earlier.
    • Any ASP.NET Core 8.0 application running on ASP.NET Core 8.0.13 or earlier.
    • Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.2 or earlier.
    • Any .NET application consuming the package Microsoft.AspNetCore.Identity version 2.3.0 or earlier.
  • Affected packages: 
    • Microsoft.AspNetCore.App.Runtime.linux-arm
    • Microsoft.AspNetCore.App.Runtime.linux-arm64
    • Microsoft.AspNetCore.App.Runtime.linux-musl-arm
    • Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
    • Microsoft.AspNetCore.App.Runtime.linux-musl-x64
    • Microsoft.AspNetCore.App.Runtime.linux-x64
    • Microsoft.AspNetCore.App.Runtime.osx-arm64
    • Microsoft.AspNetCore.App.Runtime.osx-x64
    • Microsoft.AspNetCore.App.Runtime.win-arm
    • Microsoft.AspNetCore.App.Runtime.win-arm64
    • Microsoft.AspNetCore.App.Runtime.win-x64
    • Microsoft.AspNetCore.App.Runtime.win-x86
    • Microsoft.AspNetCore.Identity
  • Affected versions: 
    • ASP.NET Core:
      • >= 6.0.0 <= 6.0.36
      • >= 8.0.0 <= 8.0.13
      • >= 9.0.0 <= 9.0.2
    • Microsoft.AspNetCore.Identity:
      • <= 2.3.0
  • GitHub repository: 
  • Published packages: Download .NET (Linux, macOS, and Windows)
  • Package manager: 
    • Nuget
    • Windows Installer
    • Docker
  • Fixed in: .NET - Never-Ending Support (NES) | HeroDevs v6.1.0

Vulnerability Info

This High-severity vulnerability is found in the Identity components within the ASP.NET Core Runtime. The core issue lies in the RefreshSignInAsync method, where it could refresh a user's sign-in session without adequately verifying that the session belonged to the same user. This created a scenario where an attacker could potentially hijack an authenticated session and assume the identity of another user.

Steps To Reproduce

  1. Set Up an ASP.NET Core Identity Project:
    • Begin with an ASP.NET Core project that has been correctly configured with the Identity framework. 
  2. Create Two User Accounts:
    • User A: This user will serve as the initially authenticated user.
    • User B: This is the different user whose identity the attacker will attempt to assume.
  3. Authenticate User A:
    • Use the SignInAsync method to sign in as User A. This establishes an authenticated session for User A.
  4. Exploit the Flaw: 
    • While still signed in as User A, call the RefreshSignInAsync method, passing User B as the parameter.
    • Before the fix, this call would have succeeded, effectively refreshing the sign-in session to be associated with User B, even though User A was the one originally authenticated.

Credits

  • Zahid TOKAT

Mitigation

ASP.NET Core 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to one of:
    • ASP.NET Core Runtime >= 8.0.14
    • ASP.NET Core Runtime >= 9.0.3
    • Microsoft.AspNetCore.Identity >= 2.3.1
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2025-24070
PROJECT Affected
ASP.NET Core Runtime; Microsoft.AspNetCore.Identity
Versions Affected
ASP.NET Core: >= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.13 >= 9.0.0 <= 9.0.2 Microsoft.AspNetCore.Identity: <= 2.3.0
Published date
April 4, 2025
≈ Fix date
April 4, 2025
Fixed in
Severity
High
Category
Weak Authentication
Sign up for the latest vulnerability alerts fixed in
NES for .NET
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.