By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2025-24070

Weak Authentication

Affects

ASP.NET Core Runtime; Microsoft.AspNetCore.Identity

ASP.NET Core: >= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.13 >= 9.0.0 <= 9.0.2 Microsoft.AspNetCore.Identity: <= 2.3.0

.NET

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. ASP.NET Core extends the .NET developer platform with tools and libraries specifically for building web apps. ASP.NET Core is the open-source version of ASP.NET, that runs on macOS, Linux, and Windows. ASP.NET Core was first released in 2016 and is a re-design of earlier Windows-only versions of ASP.NET.

‍

A vulnerability (CVE-2025-24070) exists in applications using ASP.NET Core and Microsoft.AspNetCore.Identity Nuget Package when calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege.

‍

Per CWE-1390: Weak Authentication, Weak Authentication is defined as a product using an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

‍

This issue affects ASP.NET Core 6.0.0 <= 6.0.36, 8.0.0 <= 8.0.13, 9.0.0 <= 9.0.2 and Microsoft.AspNetCore.Identity <= 2.3.0.

‍

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

‍

Details

Module Info

Product: Any ASP.NET Core application running on:
- Any ASP.NET Core 6.0 application running on ASP.NET Core 6.0.36 or earlier.
- Any ASP.NET Core 8.0 application running on ASP.NET Core 8.0.13 or earlier.
- Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.2 or earlier.
- Any .NET application consuming the package Microsoft.AspNetCore.Identity version 2.3.0 or earlier.
Affected packages:
- Microsoft.AspNetCore.App.Runtime.linux-arm
- Microsoft.AspNetCore.App.Runtime.linux-arm64
- Microsoft.AspNetCore.App.Runtime.linux-musl-arm
- Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
- Microsoft.AspNetCore.App.Runtime.linux-musl-x64
- Microsoft.AspNetCore.App.Runtime.linux-x64
- Microsoft.AspNetCore.App.Runtime.osx-arm64
- Microsoft.AspNetCore.App.Runtime.osx-x64
- Microsoft.AspNetCore.App.Runtime.win-arm
- Microsoft.AspNetCore.App.Runtime.win-arm64
- Microsoft.AspNetCore.App.Runtime.win-x64
- Microsoft.AspNetCore.App.Runtime.win-x86
- Microsoft.AspNetCore.Identity
Affected versions:
- ASP.NET Core:
  - >= 6.0.0 <= 6.0.36
  - >= 8.0.0 <= 8.0.13
  - >= 9.0.0 <= 9.0.2
- Microsoft.AspNetCore.Identity:
  - <= 2.3.0
GitHub repository:
- ASP.NET Core: https://github.com/dotnet/aspnetcore
- Microsoft.AspNetCore.Identity: https://www.nuget.org/packages/Microsoft.AspNetCore.Identity
Published packages: Download .NET (Linux, macOS, and Windows)
Package manager:
- Nuget
- Windows Installer
- Docker
Fixed in: .NET - Never-Ending Support (NES) | HeroDevs v6.1.0

‍

Vulnerability Info

This High-severity vulnerability is found in the Identity components within the ASP.NET Core Runtime. The core issue lies in the RefreshSignInAsync method, where it could refresh a user's sign-in session without adequately verifying that the session belonged to the same user. This created a scenario where an attacker could potentially hijack an authenticated session and assume the identity of another user.

‍

Steps To Reproduce

Set Up an ASP.NET Core Identity Project:
- Begin with an ASP.NET Core project that has been correctly configured with the Identity framework.
Create Two User Accounts:
- User A: This user will serve as the initially authenticated user.
- User B: This is the different user whose identity the attacker will attempt to assume.
Authenticate User A:
- Use the SignInAsync method to sign in as User A. This establishes an authenticated session for User A.
Exploit the Flaw:
- While still signed in as User A, call the RefreshSignInAsync method, passing User B as the parameter.
- Before the fix, this call would have succeeded, effectively refreshing the sign-in session to be associated with User B, even though User A was the one originally authenticated.

‍

Credits

Zahid TOKAT

‍

Mitigation

ASP.NET Core 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to one of:
- ASP.NET Core Runtime >= 8.0.14
- ASP.NET Core Runtime >= 9.0.3
- Microsoft.AspNetCore.Identity >= 2.3.1
Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍