CVE-2025-55315
Published: 14 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-55315 is a critical vulnerability in ASP.NET Core stemming from inconsistent interpretation of HTTP requests, enabling HTTP request/response smuggling as defined by CWE-444. Published on 2025-10-14, it carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating network-accessible exploitation with low complexity and privileges required.
An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. Exploitation allows bypassing security features, resulting in high confidentiality and integrity impacts, low availability impact, and a change in scope due to the smuggling mechanism.
Microsoft's Security Response Center provides update guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315. Additional technical details are available in Andrew Lock's analysis at https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/ and a GitHub gist at https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-55315 enables HTTP request/response smuggling in public-facing ASP.NET Core web applications, directly mapping to exploitation of public-facing applications.