CVE-2025-55315

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
microsoftCNA
9.9 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
VendorProductVersion
microsoftasp.net_core
2.3.0 ≤
𝑥
< 2.3.6
microsoftasp.net_core
8.0.0 ≤
𝑥
< 8.0.21
microsoftasp.net_core
9.0.0 ≤
𝑥
< 9.0.10
microsoftvisual_studio_2022
17.10.0 ≤
𝑥
< 17.10.20
microsoftvisual_studio_2022
17.12.10 ≤
𝑥
< 17.12.13
microsoftvisual_studio_2022
17.14.0 ≤
𝑥
< 17.14.17
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dotnet6
questing
dne
plucky
dne
noble
dne
jammy
deferred
focal
dne
bionic
dne
xenial
dne
trusty
dne
dotnet7
questing
dne
plucky
dne
noble
dne
jammy
ignored
focal
dne
bionic
dne
xenial
dne
trusty
dne
dotnet8
questing
Fixed 8.0.121-8.0.21-0ubuntu1~25.10.1
released
plucky
Fixed 8.0.121-8.0.21-0ubuntu1~25.04.1
released
noble
Fixed 8.0.121-8.0.21-0ubuntu1~24.04.1
released
jammy
Fixed 8.0.121-8.0.21-0ubuntu1~22.04.1
released
focal
dne
bionic
dne
xenial
dne
trusty
dne
dotnet9
questing
Fixed 9.0.111-9.0.10-0ubuntu1~25.10.1
released
plucky
Fixed 9.0.111-9.0.10-0ubuntu1~25.04.1
released
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
dotnet10
questing
Fixed 10.0.100-10.0.0~rc2-0ubuntu1~25.10.2
released
plucky
dne
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315
https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/
https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040