Microsoft has issued a security patch for a critical remote code execution (RCE) vulnerability in ASP.NET Core, marking it with a CVSS score of 9.9 — the highest severity rating the company has ever assigned. The flaw, tracked as CVE-2025-55315, undermines the built-in Kestrel web server used across all supported versions of the ASP.NET Core framework.
This vulnerability, which enables HTTP request smuggling, poses significant risks to application security, ranging from credential theft and unauthorized access to full server compromise. Given the scope and potential impact, developers and system administrators are urged to take immediate action by updating applicable components.
CVE-2025-55315 Enables HTTP Request Smuggling in Kestrel Web Server
CVE-2025-55315 resides in Kestrel, the default cross-platform web server embedded in ASP.NET Core. It involves improper parsing of HTTP requests, allowing an attacker to embed malicious or unauthorized requests within legitimate ones. This form of exploitation, known as HTTP request smuggling, can bypass server-side authentication and validation mechanisms without detection.
Exploitation May Lead to Attack Chain Escalation
While request smuggling itself does not automatically result in remote code execution, it lays the groundwork for attackers to orchestrate further malicious actions. As Microsoft and others have warned, successful exploitation could lead to:
- Security feature bypasses
- Credential hijacking
- Privilege escalation or forced system actions
- Unauthorized access to sensitive backend resources
Given the nature of ASP.NET Core as a backend framework for APIs, microservices, and web apps, the ability to bypass middleware controls through malformed HTTP requests significantly elevates the risk.
All Versions of ASP.NET Core Are Affected, Including Pre-Releases
CVE-2025-55315 impacts all actively supported versions of ASP.NET Core — versions 8, 9, and even version 10 in its pre-release form. This includes deployments using both the framework-dependent model (where the host’s platform provides the runtime) and self-contained deployments (where the published application includes its own runtime and libraries).
Developers are advised to evaluate how their specific deployments are structured in order to apply the correct remediation:
- For framework-dependent deployments, updating the server’s .NET SDK or the `Microsoft.AspNetCore.Server.Kestrel.Core` package via NuGet is mandatory.
- For self-contained deployments, application owners must rebuild and redeploy their software using an updated .NET SDK that includes the patch.
Microsoft emphasizes that each application must be individually assessed to determine exposure based on implemented request-handling logic and Kestrel configuration.
The Highest Severity Score Among a History of Critical .NET Vulnerabilities
Microsoft’s assignment of a 9.9 CVSS score underscores the severity of CVE-2025-55315. It represents a new peak in a long lineage of .NET vulnerabilities with remote execution implications. Several other recent critical vulnerabilities, though high-impact, scored slightly lower:
- CVE-2023-21808 — a remote code execution flaw due to improper input validation in .NET and Visual Studio.
- CVE-2024-35264 — a RCE vulnerability stemming from data corruption in Kestrel’s HTTP/3 implementation.
- CVE-2020-0603 — older memory-handling issues in ASP.NET Core 2.x and 3.x enabling arbitrary code execution by authenticated users.
- CVE-2025-36854 — a race condition in ASP.NET’s HTTP/3 stream handling causing use-after-free bugs.
Although not all of these shared the same attack vector (e.g., memory mismanagement versus request parsing), they reinforce a broader pattern: Kestrel, while performant and lightweight, is repeatedly at risk for complex low-level vulnerabilities that can ultimately permit arbitrary code execution in production environments.
Long-Term Implications for ASP.NET Core Developers
This latest patch reflects growing concerns about application-layer trust boundaries and the complications of securing HTTP parsing in modern frameworks. Because ASP.NET Core and its Kestrel server are widely used in cloud-native service architectures, zero-trust environments, and public APIs, any flaw in HTTP transport can have cascading effects across microservices, identity providers, and upstream clients.
For ASP.NET Core practitioners, this means:
- Reviewing whether WAFs (Web Application Firewalls) or reverse proxies adequately normalize upstream HTTP traffic.
- Testing applications with fuzzers or static analyzers to identify suspicious or malformed payload handling.
- Rebuilding self-contained apps periodically after SDK updates, as patching the host system will not affect embedded runtimes.
- Monitoring security advisories related to Kestrel and .NET Core more closely, especially around HTTP handling features like chunked encoding or multi-request buffering.
In addition, organizations participating in the Microsoft .NET Bounty Program may consider reviewing ASP.NET Core HTTP parsing logic as a potential research target, given the magnitude of recent CVEs and Microsoft’s willingness to offer sizeable rewards (up to $40,000) for impactful disclosures.
Immediate Remediation Steps Required
Microsoft advises urgent patching in line with the deployment method:
- Update to the latest .NET SDK and replace Kestrel.Core packages in your NuGet project references.
- For framework-dependent apps, ensure the hosting server has the updated runtime installed.
- For self-contained apps, rebuild using patched SDKs and redeploy as part of a secured CI/CD pipeline.
Given the exploitability of HTTP request smuggling and its potential to enable downstream attack chains, this patch should be given priority alongside perimeter security and monitoring updates.
While Microsoft has acted decisively in issuing the patch, the presence of similarly critical Kestrel vulnerabilities in recent years suggests that ASP.NET Core developers must adopt a proactive stance—including threat modeling and security testing at the HTTP parsing layer—to stay ahead of evolving attack patterns.
