"Dorrans explained that the smuggled request could perform actions such as logging in as a different user, bypassing cross-site request forgery checks, or performing injection attacks. The risks, he said, depend on how the application is written, and the bad outcomes are not likely 'unless your application code is doing something odd and skips a bunch of checks it ought to be making on every request.'"
"The high CVSS rating for CVE-2025-55315 has caused some confusion. On its own for ASP.NET Core, Dorrans said, the rating would be 'nowhere near that high,' but Microsoft scores for the worst case - 'a security feature bypass which changes scope.' Developers asking Dorrans exactly what would constitute vulnerable application code were given noncommittal answers. 'Anything that does something with a request could be problematic,' he said,"
Microsoft patched an ASP.NET Core Kestrel vulnerability scored CVSS 9.9 and described as 'our highest ever.' The flaw is a request smuggling issue that allows an extra request to be hidden inside another, including when the first request lacks authentication while the smuggled one normally requires it. A smuggled request can log in as a different user, bypass cross-site request forgery checks, or perform injection attacks. The severity depends on application code and whether the app skips expected per-request checks. Kestrel is widely used and all supported ASP.NET Core versions are affected; deployments behind proxies that remove smuggled requests are protected.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]