CVE-2025-55315

CRITICAL 9.9

ASP.NET Security Feature Bypass Vulnerability

CVSS Score

9.9

EPSS Score

0.0%

EPSS Percentile

0th

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

Vendor	microsoft
Product	asp.net core 2.3
Ecosystems	Windows .NET Azure
Industries	TechnologyEnterprise
Published	Oct 14, 2025
Last Updated	Feb 22, 2026

Stay Ahead of the Next One

Get instant alerts for microsoft asp.net core 2.3

Be the first to know when new critical vulnerabilities affecting microsoft asp.net core 2.3 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Microsoft / ASP.NET Core 2.3

2.3 < 2.3.6

Microsoft / ASP.NET Core 8.0

8.0 < 8.0.21

Microsoft / ASP.NET Core 9.0

9.0 < 9.0.10

Microsoft / Microsoft Visual Studio 2022 version 17.10

17.10.0 < 17.10.20

Microsoft / Microsoft Visual Studio 2022 version 17.12

17.12.0 < 17.12.13

Microsoft / Microsoft Visual Studio 2022 version 17.14

17.14.0 < 17.14.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

msrc.microsoft.com: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315 gist.github.com: https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040 andrewlock.net: https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/