Microsoft Patches the Most Severe ASP.NET Vulnerability on Record

Microsoft has fixed what experts are calling the most severe ASP.NET vulnerability in history—a critical flaw rated 9.9 out of 10 on the CVSS scale.

The vulnerability, tracked as CVE-2025-55315, affects the ASP.NET Core Kestrel web server and stems from an HTTP request smuggling weakness. The flaw allowed authenticated attackers to inject hidden HTTP requests, potentially intercepting credentials, bypassing security checks, or manipulating server responses.

“An attacker who successfully exploited this vulnerability could view sensitive information such as user credentials, modify file contents on the server, or cause the server to crash,” Microsoft explained in its advisory.

A Near-Perfect 9.9 Severity

A 9.9 CVSS score is extraordinarily rare for application-layer vulnerabilities, placing CVE-2025-55315 among the most dangerous in .NET’s history. Kestrel, the lightweight cross-platform web server built into ASP.NET Core, is widely used for hosting APIs and web applications—making the exposure especially concerning.

Microsoft’s Recommended Actions

To mitigate the issue, Microsoft has released patches across multiple .NET versions and developer tools:

• For .NET 8 and newer: Install the latest .NET update through Microsoft Update, then restart the application or reboot the host machine.
• For .NET 2.3: Update the Microsoft.AspNet.Server.Kestrel.Core package to version 2.3.6, recompile, and redeploy.
• For self-contained or single-file apps: Install the .NET update, recompile, and redeploy.

The company also issued security updates for Visual Studio 2022, ASP.NET Core 2.3, 8.0, and 9.0, along with an updated Kestrel.Core package for legacy ASP.NET Core 2.x applications.

Potential Exploitation Scenarios

Barry Dorrans, Security Program Manager for .NET, cautioned that the real-world impact varies by implementation but could include:

• Logging in as another user (privilege escalation)
• Performing Server-Side Request Forgery (SSRF) attacks
• Bypassing Cross-Site Request Forgery (CSRF) protection
• Executing malicious payloads through crafted requests

“We don’t know exactly what could happen—it depends on how each application handles requests,” Dorrans noted. “We’ve rated it based on the worst-case scenario: a protection bypass with expanded scope of impact. Exploitation is unlikely unless an app’s code introduces atypical behaviors—but updating remains essential.”

Why It Matters

The discovery underscores the growing risk of HTTP desynchronization and request smuggling attacks—a class of flaws that can quietly undermine modern web frameworks. While Microsoft has acted quickly, developers running unpatched or legacy ASP.NET deployments remain at risk until updates are applied.