ASP.NET Security Feature Bypass Vulnerability
Description
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An HTTP request/response smuggling vulnerability in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
Vulnerability
Overview
CVE-2025-55315 is an HTTP request/response smuggling vulnerability in ASP.NET Core in ASP.NET Core that stems from an inconsistent interpretation of HTTP requests. The vulnerability affects multiple versions of ASP.NET Core, including 10.0 RC1, 9.1.0, 8.0, and 2.3 (via the Kestrel server package). The root cause is a discrepancy in how HTTP requests are parsed by different components or intermediaries, enabling a type of smuggling attack.
Exploitation
Prerequisites
An attacker must be authenticated and have network access to the target ASP.NET Core application to exploit this vulnerability. No additional mitigating factors have been identified by Microsoft, meaning the attack can be carried out without special conditions [1][2]. The HTTP request/response smuggling technique leverages the parsing inconsistency to present different request boundaries to different downstream systems.
Impact
Successfully exploiting this vulnerability allows an authorized attacker to bypass a security feature over the network. This could lead to achieving unauthorized actions, such as requesting protected resources, performing actions beyond the attacker's permission level, or injecting malicious content into other responses. The exact security feature bypassed is not specified, but it is a general security feature in ASP.NET Core.
Mitigation
Microsoft has released patches for all affected versions. The patched versions are ASP.NET Core 10.0.0-rc.2.25502.107, 9.0.10, 8.0.21, and Kestrel package version 2.3.6 [1][2]. No workarounds have been provided, administrators are strongly advised to update their applications to the latest patched versions immediately.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.Server.Kestrel.CoreNuGet | < 2.3.6 | 2.3.6 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107 | 10.0.0-rc.2.25502.107 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 9.0.0, < 9.0.10 | 9.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 8.0.0, < 8.0.21 | 8.0.21 |
Affected products
6- Microsoft/ASP.NET Core 2.3v5Range: 2.3
- Microsoft/ASP.NET Core 8.0v5Range: 8.0
- Microsoft/ASP.NET Core 9.0v5Range: 9.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10.0
- Microsoft/Microsoft Visual Studio 2022 version 17.12v5Range: 17.12.0
- Microsoft/Microsoft Visual Studio 2022 version 17.14v5Range: 17.14.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5rrx-jjjq-q2r5ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55315ghsaADVISORY
- github.com/dotnet/announcements/issues/371ghsaWEB
- github.com/dotnet/aspnetcore/security/advisories/GHSA-5rrx-jjjq-q2r5ghsaWEB
News mentions
0No linked articles in our index yet.