CVE-2025-24070
Overview
.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. ASP.NET Core extends the .NET developer platform with tools and libraries specifically for building web apps. ASP.NET Core is the open-source version of ASP.NET, that runs on macOS, Linux, and Windows. ASP.NET Core was first released in 2016 and is a re-design of earlier Windows-only versions of ASP.NET.
A vulnerability (CVE-2025-24070) exists in applications using ASP.NET Core and Microsoft.AspNetCore.Identity Nuget Package when calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege.
Per CWE-1390: Weak Authentication, Weak Authentication is defined as a product using an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
This issue affects ASP.NET Core 6.0.0 <= 6.0.36, 8.0.0 <= 8.0.13, 9.0.0 <= 9.0.2 and Microsoft.AspNetCore.Identity <= 2.3.0.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Details
Module Info
- Product: Any ASP.NET Core application running on:
- Any ASP.NET Core 6.0 application running on ASP.NET Core 6.0.36 or earlier.
- Any ASP.NET Core 8.0 application running on ASP.NET Core 8.0.13 or earlier.
- Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.2 or earlier.
- Any .NET application consuming the package Microsoft.AspNetCore.Identity version 2.3.0 or earlier.
- Affected packages:
- Microsoft.AspNetCore.App.Runtime.linux-arm
- Microsoft.AspNetCore.App.Runtime.linux-arm64
- Microsoft.AspNetCore.App.Runtime.linux-musl-arm
- Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
- Microsoft.AspNetCore.App.Runtime.linux-musl-x64
- Microsoft.AspNetCore.App.Runtime.linux-x64
- Microsoft.AspNetCore.App.Runtime.osx-arm64
- Microsoft.AspNetCore.App.Runtime.osx-x64
- Microsoft.AspNetCore.App.Runtime.win-arm
- Microsoft.AspNetCore.App.Runtime.win-arm64
- Microsoft.AspNetCore.App.Runtime.win-x64
- Microsoft.AspNetCore.App.Runtime.win-x86
- Microsoft.AspNetCore.Identity
- Affected versions:
- ASP.NET Core:
- >= 6.0.0 <= 6.0.36
- >= 8.0.0 <= 8.0.13
- >= 9.0.0 <= 9.0.2
- Microsoft.AspNetCore.Identity:
- <= 2.3.0
- ASP.NET Core:
- GitHub repository:
- ASP.NET Core: https://github.com/dotnet/aspnetcore
- Microsoft.AspNetCore.Identity: https://www.nuget.org/packages/Microsoft.AspNetCore.Identity
- Published packages: Download .NET (Linux, macOS, and Windows)
- Package manager:
- Nuget
- Windows Installer
- Docker
- Fixed in: .NET - Never-Ending Support (NES) | HeroDevs v6.1.0
Vulnerability Info
This High-severity vulnerability is found in the Identity components within the ASP.NET Core Runtime. The core issue lies in the RefreshSignInAsync method, where it could refresh a user's sign-in session without adequately verifying that the session belonged to the same user. This created a scenario where an attacker could potentially hijack an authenticated session and assume the identity of another user.
Steps To Reproduce
- Set Up an ASP.NET Core Identity Project:
- Begin with an ASP.NET Core project that has been correctly configured with the Identity framework.
- Create Two User Accounts:
- User A: This user will serve as the initially authenticated user.
- User B: This is the different user whose identity the attacker will attempt to assume.
- Authenticate User A:
- Use the SignInAsync method to sign in as User A. This establishes an authenticated session for User A.
- Exploit the Flaw:
- While still signed in as User A, call the RefreshSignInAsync method, passing User B as the parameter.
- Before the fix, this call would have succeeded, effectively refreshing the sign-in session to be associated with User B, even though User A was the one originally authenticated.
Credits
- Zahid TOKAT
Mitigation
ASP.NET Core 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to one of:
- ASP.NET Core Runtime >= 8.0.14
- ASP.NET Core Runtime >= 9.0.3
- Microsoft.AspNetCore.Identity >= 2.3.1
- Leverage a commercial support partner like HeroDevs for post-EOL security support.