OnlyFm252
ASP.NET Core

CVE-2025-55315 — ASP.NET Security Feature Bypass Vulnerability

Important CVSS 9.9 EPSS 0.66258 2025-10 archive

Executive Summary

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

Overview

9.9
CVSS CRITICAL
Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Security Feature Bypass
Released Oct 14 2025
Last Updated Oct 14 2025
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known
EPSS Score 0.66258 — 0.99181 percentile
NVD CVSS 9.9 CRITICAL — matches MSRC

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C
ATTACK VECTOR
Network
ATTACK COMPLEXITY
Low
PRIVILEGES REQUIRED
Low
USER INTERACTION
None
SCOPE
Changed
CONFIDENTIALITY
High
INTEGRITY
High
AVAILABILITY
Low
EXPLOIT CODE MATURITY
Unproven
REMEDIATION LEVEL
Official Fix
REPORT CONFIDENCE
Confirmed
Temporal Score: 8.6

EPSS Score

0.66258
probability of exploitation in the next 30 days
0.99181 percentile - updated 2026-06-21
View on FIRST.org

Affected Products

6 affected products
Product KB Article Severity Impact Restart Required
ASP.NET Core 2.3 Release Notes (Security Update) Important Security Feature Bypass Maybe
ASP.NET Core 8.0 5068331 (Security Update) Important Security Feature Bypass Maybe
ASP.NET Core 9.0 5068332 (Security Update) Important Security Feature Bypass Maybe
Microsoft Visual Studio 2022 version 17.10 Release Notes (Security Update) Important Security Feature Bypass Maybe
Microsoft Visual Studio 2022 version 17.12 Release Notes (Security Update) Important Security Feature Bypass Maybe
Microsoft Visual Studio 2022 version 17.14 Release Notes (Security Update) Important Security Feature Bypass Maybe

Patches

3 patches
Article Type Restart
Release Notes Security Update Maybe
5068331 Security Update Maybe
5068332 Security Update Maybe

Known Exploits

Acknowledgments

Sid

On This Page