Understanding the Worst .NET Vulnerability
6 months ago
- #dotnet
- #vulnerability
- #security
- Microsoft issued a critical vulnerability CVE-2025-55315 with a CVSS score of 9.9, the highest ever.
- The vulnerability involves HTTP request smuggling in ASP.NET Core, allowing attackers to bypass security features.
- HTTP request smuggling exploits differences in how proxy and destination servers parse ambiguous HTTP requests.
- Attackers can use this to login as different users, bypass CSRF checks, perform injection attacks, and more.
- The specific vulnerability in CVE-2025-55315 involves invalid chunk extensions in Transfer-Encoding: chunked requests.
- Microsoft has patched the vulnerability in supported versions of .NET (8, 9, 10), but older versions remain vulnerable.
- Recommendations include updating to patched versions, enforcing HTTP/2 or HTTP/3, and avoiding direct request stream manipulation.
- Azure App Services (AAS) users are protected as the proxy has been patched, but other hosting services may still be vulnerable.