If you create or run websites using ASP.NET Core, here is some big news — Microsoft just fixed one of the worst bugs it has ever found in ASP.NET Core. And when I say bad, I mean bad... it received the highest severity score Microsoft has ever assigned to ASP.NET Core.
If someone exploited the vulnerability, they could:
• Access private information (logged in credentials, cookies, etc.)
• Modify or corrupt files on your server
• Crash your application or slow it down.
That is why Microsoft gave it a 9.9 out of 10, which is the most serious warning it has ever given for ASP.NET Core.
• ASP.NET Core 8.0 and 9.0 (including preview or beta)
• Any of the older versions using Kestrel, including ASP.NET Core Microsoft.AspNetCore.Server.Kestrel.Core 2.3.0 or older
If your app is a self-contained deployment, you will need to rebuild it after the update. A framework-dependent app likely just needs the runtime updated and can use the existing app image.
• Update your ASP.NET Core SDK or runtime to the latest patched version.
• Rebuild and redeploy your app if your app contains the runtime.
• Use a proxy/fwall to place Kestrel behind to block all direct internet traffic.
• Search your code and look for any custom request-handling logic - this is the bug that causes your app not to correctly read HTTP requests.
This is a quick fix to make, but it may likely be a size debacle later down the road if you don't address it.
If your web application is using ASP.NET Core, update it immediately—yes, now. Then distract yourself until you know it is patched because you may think it is patched and secure, but you do not know for sure until you patch it.
What Was the Issue?
The vulnerability, CVE-2025-55315, existed in Kestrel, which is the webserver ASP.NET Core uses to process requests. In layman’s terms, it would allow an attacker to send hidden or “sneaky” web requests and the server would be tricked into processing them. This is also known as an HTTP request smuggling attack. Imagine you slipped a fake letter into a pile of letters, so the system would process a letter that wasn’t real.If someone exploited the vulnerability, they could:
• Access private information (logged in credentials, cookies, etc.)
• Modify or corrupt files on your server
• Crash your application or slow it down.
That is why Microsoft gave it a 9.9 out of 10, which is the most serious warning it has ever given for ASP.NET Core.
Who is at Risk?
Anyone running any of these versions should act quickly:• ASP.NET Core 8.0 and 9.0 (including preview or beta)
• Any of the older versions using Kestrel, including ASP.NET Core Microsoft.AspNetCore.Server.Kestrel.Core 2.3.0 or older
If your app is a self-contained deployment, you will need to rebuild it after the update. A framework-dependent app likely just needs the runtime updated and can use the existing app image.
What Should You Do Now?
Now is not the time to wait. You should do the following right away:• Update your ASP.NET Core SDK or runtime to the latest patched version.
• Rebuild and redeploy your app if your app contains the runtime.
• Use a proxy/fwall to place Kestrel behind to block all direct internet traffic.
• Search your code and look for any custom request-handling logic - this is the bug that causes your app not to correctly read HTTP requests.
This is a quick fix to make, but it may likely be a size debacle later down the road if you don't address it.
Why This is Important
I have witnessed developers wait too long to apply security updates. This is a bug that is not commonplace; it is dangerous and affects one of the most commonly used features of ASP.NET Core.Conclusion
To summarize, Microsoft patched a critical ASP.NET Core bug (CVE-2025-55315) that allows a hacker to perform HTTP request-smuggling to trick a server. Attackers could quickly steal server data, corrupt applications, or take down the entire server.If your web application is using ASP.NET Core, update it immediately—yes, now. Then distract yourself until you know it is patched because you may think it is patched and secure, but you do not know for sure until you patch it.