A critical vulnerability, identified as CVE-2025-55315, has been discovered in multiple products utilizing the ASP.NET Core framework. This flaw, a form of HTTP Request Smuggling, allows an authorized network attacker to bypass security features, potentially leading to unauthorized data access, privilege escalation, and execution of malicious actions within affected applications. Due to its critical severity rating, immediate remediation is strongly advised to prevent system compromise.

This vulnerability is an HTTP Request Smuggling flaw that stems from an inconsistent interpretation of HTTP requests between a front-end proxy (e.g., a load balancer or WAF) and the back-end ASP.NET Core application. An authorized attacker can craft a specially formed HTTP request containing ambiguous headers (such as both Content-Length and Transfer-Encoding). The front-end server may process the request one way, while the back-end server parses it differently, allowing a malicious, "smuggled" request to be appended and executed with the privileges of the application or another user. This allows the attacker to bypass security controls, poison web caches, or hijack other users' sessions.

This vulnerability is rated as critical severity with a CVSS score of 9.9, posing a significant and immediate threat to the organization. Successful exploitation could lead to the complete bypass of critical security mechanisms like authentication and authorization checks. Potential consequences include unauthorized access to sensitive corporate or customer data, privilege escalation to administrative levels, and the ability to perform unauthorized actions on behalf of other users. Such an incident could result in a severe data breach, significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor. Administrators should immediately update all instances of affected ASP.NET Core products to the latest patched version. Following the update, review web server, proxy, and application access logs for any signs of exploitation attempts that may have occurred prior to patching.

Proactive Monitoring: Implement enhanced monitoring of HTTP traffic for indicators of request smuggling. This includes creating alerts for HTTP requests that contain both Content-Length and Transfer-Encoding headers. Monitor web and application logs for malformed requests, unexpected responses, or anomalous application behavior that could indicate a successful smuggling attack.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Configure front-end reverse proxies, load balancers, and WAFs to normalize ambiguous HTTP requests by removing or rejecting them before they reach the back-end application.
• Enforce stricter WAF rulesets specifically designed to detect and block HTTP Request Smuggling patterns.
• If possible, enable HTTP/2 for end-to-end communication between the client and the back-end server, as this protocol is inherently less vulnerable to this type of attack.

Public Exploit Available: False

Given the critical CVSS score of 9.9, this vulnerability requires immediate attention. We recommend that all affected ASP.NET Core applications be patched on an emergency basis. Although this CVE is not yet listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity indicates a strong likelihood of future exploitation. Organizations that cannot patch immediately must implement the recommended compensating controls and proactive monitoring to reduce their risk exposure. Treat this vulnerability as an active threat and prioritize its remediation across all relevant systems.