Cyber Resilience

CVE-2025-55315

Critical

Published: 14 October 2025

Published
14 October 2025
Modified
28 October 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0168 82.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55315 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Microsoft Asp.Net Core. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-55315 is a critical vulnerability in ASP.NET Core stemming from inconsistent interpretation of HTTP requests, enabling HTTP request/response smuggling as defined by CWE-444. Published on 2025-10-14, it carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating network-accessible exploitation with low complexity and privileges required.

An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. Exploitation allows bypassing security features, resulting in high confidentiality and integrity impacts, low availability impact, and a change in scope due to the smuggling mechanism.

Microsoft's Security Response Center provides update guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315. Additional technical details are available in Andrew Lock's analysis at https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/ and a GitHub gist at https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040.

EU & UK References

Vulnerability details

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-55315 enables HTTP request/response smuggling in public-facing ASP.NET Core web applications, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40372Same product: Microsoft Asp.Net Core
CVE-2026-26130Same product: Microsoft Asp.Net Core
CVE-2025-65037Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoft
CVE-2025-50165Same vendor: Microsoft
CVE-2025-21348Same vendor: Microsoft
CVE-2026-26114Same vendor: Microsoft
CVE-2025-21344Same vendor: Microsoft
CVE-2025-21368Same vendor: Microsoft
CVE-2025-21355Same vendor: Microsoft

Affected Assets

microsoft
asp.net core
2.3.0 — 2.3.6 · 8.0.0 — 8.0.21 · 9.0.0 — 9.0.10
microsoft
visual studio 2022
17.10.0 — 17.10.20 · 17.12.10 — 17.12.13 · 17.14.0 — 17.14.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the ASP.NET Core flaw via timely vendor patches directly prevents exploitation of HTTP request/response smuggling.

prevent

Establishing secure configuration settings for web servers and proxies ensures consistent HTTP request parsing, mitigating inconsistencies exploited in this smuggling vulnerability.

preventdetect

Boundary protection through properly configured proxies or WAFs normalizes and inspects HTTP traffic, blocking smuggling attempts before they reach the vulnerable ASP.NET Core application.

References