CVE-2025-55315

EUVD-2025-34426
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
microsoftCNA
9.9 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
microsoftasp.net_core
2.3.0 ≤
𝑥
< 2.3.6
microsoftasp.net_core
8.0.0 ≤
𝑥
< 8.0.21
microsoftasp.net_core
9.0.0 ≤
𝑥
< 9.0.10
microsoftvisual_studio_2022
17.10.0 ≤
𝑥
< 17.10.20
microsoftvisual_studio_2022
17.12.10 ≤
𝑥
< 17.12.13
microsoftvisual_studio_2022
17.14.0 ≤
𝑥
< 17.14.17
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dotnet6
bionic
dne
focal
dne
jammy
deferred
noble
dne
plucky
dne
questing
dne
trusty
dne
xenial
dne
dotnet7
bionic
dne
focal
dne
jammy
ignored
noble
dne
plucky
dne
questing
dne
trusty
dne
xenial
dne
dotnet8
bionic
dne
focal
dne
jammy
Fixed 8.0.121-8.0.21-0ubuntu1~22.04.1
released
noble
Fixed 8.0.121-8.0.21-0ubuntu1~24.04.1
released
plucky
Fixed 8.0.121-8.0.21-0ubuntu1~25.04.1
released
questing
Fixed 8.0.121-8.0.21-0ubuntu1~25.10.1
released
trusty
dne
xenial
dne
dotnet9
bionic
dne
focal
dne
jammy
dne
noble
dne
plucky
Fixed 9.0.111-9.0.10-0ubuntu1~25.04.1
released
questing
Fixed 9.0.111-9.0.10-0ubuntu1~25.10.1
released
trusty
dne
xenial
dne
dotnet10
bionic
dne
focal
dne
jammy
dne
noble
needs-triage
plucky
ignored
questing
Fixed 10.0.100-10.0.0~rc2-0ubuntu1~25.10.2
released
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315
https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/
https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040