Microsoft has addressed a maximum-severity vulnerability in ASP.NET Core, identified as CVE-2025-55315, which is an HTTP request smuggling flaw within the Kestrel web server. This security gap could allow an authenticated attacker to intercept another user's credentials, alter server files, or cause the service to crash. The company has labeled this as the highest-severity issue ever reported for the ASP.NET Core framework.
To remediate the vulnerability, developers must update their .NET installations or specific Kestrel packages and then redeploy their applications. The exploit's impact is context-dependent, but it could potentially enable privilege escalation, request forgery, or the bypassing of security checks. A Microsoft official emphasized that while the worst-case scenario is severe, the actual risk depends on individual application code.
This patch was part of Microsoft's larger Patch Tuesday, which fixed 172 flaws, including several zero-days. The update coincides with the end of support for Windows 10, underscoring a significant period for Microsoft's security ecosystem.
Read more...