Cyber Posture

CVE-2025-55315

Critical

Published: 14 October 2025

Published
14 October 2025
Modified
28 October 2025
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0145 80.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55315 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Microsoft Asp.Net Core. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediating the ASP.NET Core flaw via timely vendor patches directly prevents exploitation of HTTP request/response smuggling.

CM-6 Configuration Settings partial match
prevent

Establishing secure configuration settings for web servers and proxies ensures consistent HTTP request parsing, mitigating inconsistencies exploited in this smuggling vulnerability.

SC-7 Boundary Protection partial match
preventdetect

Boundary protection through properly configured proxies or WAFs normalizes and inspects HTTP traffic, blocking smuggling attempts before they reach the vulnerable ASP.NET Core application.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2025-55315 enables HTTP request/response smuggling in public-facing ASP.NET Core web applications, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

Deeper analysisAI

CVE-2025-55315 is a critical vulnerability in ASP.NET Core stemming from inconsistent interpretation of HTTP requests, enabling HTTP request/response smuggling as defined by CWE-444. Published on 2025-10-14, it carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating network-accessible exploitation with low complexity and privileges required.

An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. Exploitation allows bypassing security features, resulting in high confidentiality and integrity impacts, low availability impact, and a change in scope due to the smuggling mechanism.

Microsoft's Security Response Center provides update guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315. Additional technical details are available in Andrew Lock's analysis at https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/ and a GitHub gist at https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040.

Details

CWE(s)
CWE-444

Affected Products

microsoft
asp.net core
2.3.0 — 2.3.6 · 8.0.0 — 8.0.21 · 9.0.0 — 9.0.10
microsoft
visual studio 2022
17.10.0 — 17.10.20 · 17.12.10 — 17.12.13 · 17.14.0 — 17.14.17

CVEs Like This One

CVE-2026-40372Same product: Microsoft Asp.Net Core
CVE-2026-26130Same product: Microsoft Asp.Net Core
CVE-2026-20947Same vendor: Microsoft
CVE-2026-20856Same vendor: Microsoft
CVE-2025-21385Same vendor: Microsoft
CVE-2025-62549Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoft
CVE-2025-53766Same vendor: Microsoft
CVE-2026-21532Same vendor: Microsoft
CVE-2025-59228Same vendor: Microsoft

References