Microsoft Patches 9.9-Rated ASP.NET Core Request-Smuggling Flaw

by Justin Erickson

Microsoft has fixed CVE-2025-55315, an HTTP request-smuggling vulnerability in the Kestrel web server for ASP.NET Core. It affects ASP.NET Core versions 2.3, 8, 9, and 10. CVSS 9.9 (Critical) is described by the .NET security team as the highest severity they’ve given an ASP.NET Core issue. The impact varies by app and hosting configuration. Patches are available by downloading the latest version, or by updating to the latest version (Microsoft.AspNetCore.Server.Kestrel.Core 2.3.6) through the NuGet package manager. Microsoft advises installing the .NET updates, then restarting apps (or the host) and redeploying self-contained/single-file apps after recompilation. For specifics based on which version, check the articles below.