Microsoft has shipped fixes for a critical vulnerability in the Kestrel web server used by ASP.NET Core, tracked as CVE-2025-55315 and rated CVSS 9.9. The flaw enables HTTP request smuggling under specific conditions, allowing an attacker to slip a hidden request past a frontend proxy or load balancer. Successful exploitation can result in credential theft, bypass of security controls, content manipulation, and potential service disruption.
What CVE-2025-55315 means for ASP.NET Core and Kestrel security
The vulnerability resides in Kestrel, the high‑performance web server embedded in ASP.NET Core. According to Microsoft, an authenticated attacker could inject an additional HTTP request that is processed out of band by the backend. In a worst‑case scenario, this can expose sensitive data, including other users’ accounts, allow unauthorized file modifications on the server, and trigger denial‑of‑service conditions. The near‑maximum score reflects the impact across confidentiality, integrity, and availability.
Affected products and security updates administrators must install
Microsoft has released coordinated updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0. For legacy workloads on ASP.NET Core 2.x, a patched Microsoft.AspNetCore.Server.Kestrel.Core package is available. Organizations should update target frameworks and server packages, then rebuild and redeploy all workloads. In containerized environments, rebuild images and align base layers with vendor repositories to ensure the patched runtime and libraries propagate into production.
How HTTP request smuggling works—and why mixed proxy/backend stacks are at risk
Request smuggling exploits parsing discrepancies between components in an HTTP chain—typically a reverse proxy or load balancer in front of a backend server. Classic attack paths abuse mismatches in how Content-Length and Transfer-Encoding are interpreted. By crafting an ambiguous payload, an attacker can “hide” a second request that the backend processes as part of a subsequent legitimate exchange. As documented by OWASP and prior industry research, the technique enables session hijacking, CSRF bypass, server-side request forgery (SSRF), and other malicious injections when defenses are applied inconsistently across tiers.
Impact varies with application logic and deployment topology
Real‑world risk depends on how an application enforces authentication and input validation at each request. Microsoft’s .NET security guidance notes that the issue is assessed on a worst‑case basis to account for protection bypass and scope change. As security program manager Barry Dorrans cautions, “we assess the vulnerability by the worst case: a protection bypass with a change in impact scope. How likely is it? Unlikely—unless your code has quirks and skips checks that should run on every request. Either way, please update.” Multi‑proxy chains, shared caches, multi‑tenant hosting, and API gateways can magnify exposure, especially for HTTP/1.1 traffic where CL/TE ambiguity is most relevant.
Practical mitigation checklist for Kestrel and ASP.NET Core
Patch and inventory
Apply all available updates to Kestrel and ASP.NET Core runtimes immediately. Perform an inventory of services fronted by Nginx, Apache, cloud reverse proxies, and API gateways to validate that frontend and backend components are updated in lockstep.
Harden proxy and backend configurations
Normalize and filter headers at the proxy and application tiers. Disallow ambiguous Content-Length/Transfer-Encoding combinations, align keep‑alive timeouts, and size buffers consistently. Where feasible, restrict HTTP pipelining and review WAF rulesets tuned for request‑smuggling patterns.
Test and monitor for request smuggling
Integrate HTTP request smuggling checks into DAST/SAST pipelines and run periodic security tests focusing on CL/TE mismatches. Enhance logging and telemetry for request correlation, detect anomalous sequences, and investigate unexpected 4xx/5xx spikes near authorization flows. Re‑verify CSRF middleware, controller‑level validation, and anti‑forgery tokens.
CVE-2025-55315 is a high‑impact flaw with routes to data exposure and control bypass in Kestrel‑backed applications. Even if exploitation appears unlikely in a specific service, complex proxy chains, caches, and authentication flows expand the attack surface. Prioritize updates across the ASP.NET Core stack, review HTTP normalization end‑to‑end, and add request‑smuggling tests to your security regimen to reduce the risk of credential compromise and defense evasion.
