Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability

[victorisr]

Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 10.0 , ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

Discussion

Discussion for this issue can be found at dotnet/announcements#371

Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

Affected software

• Any ASP.NET Core 10.0 application running on ASP.NET Core 10.0.0-rc.1.25451.107 or earlier.
• Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.9 or earlier.
• Any ASP.NET Core application running on ASP.NET Core 8.0.20 or earlier.
• Any ASP.NET Core 2.x application consuming the package Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.0 or earlier.

Affected Packages

The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below

Package name	Affected version	Patched version
Microsoft.AspNetCore.Server.Kestrel.Core	<= 2.3.0	2.3.6

ASP.NET Core 10

Package name	Affected version	Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm	10.0.0-rc.1.25451.107	10.0.0-rc.2.25476.107
Microsoft.AspNetCore.App.Runtime.linux-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25476.107
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.linux-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.osx-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.osx-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-arm	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-x86	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107

ASP.NET Core 9

Package name	Affected version	Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.osx-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.osx-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-arm	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-x86	>= 9.0.0, <= 9.0.9	9.0.10

ASP.NET Core 8

Package name	Affected version	Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.osx-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.osx-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-arm	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-x86	>= 8.0.0, <= 8.0.20	8.0.21

Advisory FAQ

How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.

How do I fix the issue?

1. To fix the issue please install the latest version of .NET 9.0 and .NET 8.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
2. If your application references the vulnerable package, update the package reference to the patched version.

• You can list the versions you have installed by running the dotnet --info command. You will see output like the following;

.NET SDK:
 Version:           9.0.100
 Commit:            59db016f11
 Workload version:  9.0.100-manifests.3068a692
 MSBuild version:   17.12.7+5b8665660

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  15.2
 OS Platform: Darwin
 RID:         osx-arm64
 Base Path:   /usr/local/share/dotnet/sdk/9.0.100/

.NET workloads installed:
There are no installed workloads to display.
Configured to use loose manifests when installing new manifests.

Host:
  Version:      9.0.0
  Architecture: arm64
  Commit:       9d5a6a9aa4

.NET SDKs installed:
  9.0.100 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
  x64   [/usr/local/share/dotnet]
    registered at [/etc/dotnet/install_location_x64]

Environment variables:
  Not set

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

• If you're using .NET 8.0, you should download and install .NET 8.0.21 Runtime or .NET 8.0.318 SDK (for Visual Studio 2022 v17.10 latest update) from https://dotnet.microsoft.com/download/dotnet-core/8.0.

• If you're using .NET 9.0, you should download and install .NET 9.0.10 Runtime or .NET 9.0.111 SDK (for Visual Studio 2022 v17.12 latest update) from https://dotnet.microsoft.com/download/dotnet-core/9.0.

• If you're using .NET 10.0, you should download and install .NET 10.0.0-rc.2.25476.107 Runtime or .NET 10.0.100-rc.2.25476.107 SDK (for Visual Studio 2022 v17.12 latest update) from https://dotnet.microsoft.com/download/dotnet-core/10.0.

• If you're using Microsoft.AspNetCore.Server.Kestrel.Core nuget package, update to the latest version 2.3.6 using either of the following methods:

  • Using the NuGet Package Manager UI in Visual Studio:
    - Open your project in Visual Studio.
    - Right-click on your project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages".
    - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from your configured package sources.
    - Select the package(s) you wish to update. You can choose a specific version from the dropdown or update to the latest available version.
    - Click the "Update" button.

  • Using the NuGet Package Manager Console in Visual Studio:
    - Open your project in Visual Studio.
    - Navigate to "Tools > NuGet Package Manager > Package Manager Console".
    - To update a specific package to its latest version, use the Update-Package command:
    Code:

          Update-Package -Id Microsoft.AspNetCore.Server.Kestrel.Core
    

  • Using the .NET CLI (Command Line Interface):
    Open a terminal or command prompt in your project's directory.
    To update a specific package to its latest version:
    Code:

          dotnet add package Microsoft.AspNetCore.Server.Kestrel.Core
    

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0, .NET 9.0 or .NET 10.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/aspnetcore. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

External Links

Acknowledgement

Sid

CVE-2025-55315

Revisions

V1.0 (October 14, 2025): Advisory published.

Version 1.0

Last Updated 2025-10-14

[blowdart]

In order to, hopefully, address any questions, I want to explain that CVSS score of 9.9, our highest ever. Let's examine why.

The bug enables HTTP Request Smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...

Instead, we score based how the bug might affect applications built on top of ASP.NET.

Request Smuggling allows an attacker to hide an extra request inside an another, and what that hidden request can do is very application specific.

The smuggled request could cause your application code to

• Login as a different user (EOP)
• Make an internal request (SSRF)
• Bypass CSRF checks
• Perform an injection attack

But we don't know what's possible because it's dependent on how you've written your app.

Thus, we score with the worst possible case in mind, a security feature bypass which changes scope.

Is that likely? No, probably not unless your application code is doing something odd and skips a bunch of checks that it ought to be making on every request.

However please go update.

Finally, to try to answer some frequent questions in advance:

• Can we score for your individual circumstances? I'm sorry but no. We don't know your code base, your appetite for risk or your regulatory requirements, nor can we look at it and evaluate the risk for you.
• Should I run out and immediately install the update? Only you can evaluate the risks to your application.

[Sebazzz]

No, probably not unless your application code is doing something odd and skips a bunch of checks that it ought to be making on every request

It would be useful to know what that is.

Also, am I correct in assuming that applications running in IIS are not vulnerable?

[blowdart]

It would be useful to know what that is.

It's totally application dependent unfortunately.

Also, am I correct in assuming that applications running in IIS are not vulnerable?

That's a question for the Windows HTTP.SYS folks. I can't speak for them unfortunately.

[Sebazzz]

It would be useful to know what that is.

It's totally application dependent unfortunately.

Right, but quoting a little less selectively:

Thus, we score with the worst possible case in mind, a security feature bypass which changes scope.

Is that likely? No, probably not unless your application code is doing something odd and skips a bunch of checks that it ought to be making on every request.

It would be know what "doing something odd" is. That does sound like it is likely not something that happens with a LOB standard Razor Web app but rather if you're modifying the HTTP pipeline with custom middleware or using Yarp or similar.

I may have ten or more applications to patch so it would be very useful to know what to check for. If the conclusion is "every ASP.NET Core app is likely to be vulnerable" then the text is only confusing.

Also, am I correct in assuming that applications running in IIS are not vulnerable?

That's a question for the Windows HTTP.SYS folks. I can't speak for them unfortunately.

I'm asking because the patched library appears to be Kestrel.

[blowdart]

It would be useful to know what that is.

It's totally application dependent unfortunately.

Right, but quoting a little less selectively:

Thus, we score with the worst possible case in mind, a security feature bypass which changes scope.
Is that likely? No, probably not unless your application code is doing something odd and skips a bunch of checks that it ought to be making on every request.

It would be know what "doing something odd" is. That does sound like it is likely not something that happens with a LOB standard Razor Web app but rather if you're modifying the HTTP pipeline with custom middleware or using Yarp or similar.

I may have ten or more applications to patch so it would be very useful to know what to check for. If the conclusion is "every ASP.NET Core app is likely to be vulnerable" then the text is only confusing.

So things like authentication, server side http calls, updating databases based on information in an http request. Basically anything that does something with a request could be problematic.

But, for example, an application that just appends to a log, no authentication, and the log truncates, would be vulnerable to missing real log entries. An app that does authentication and has access rules based on the authentication may be vulnerable to elevation of privilege, if it's not checking the identity at the point of trying to do something that needs admin rights.

Note that this is personal opinion at this point, and not official Microsoft opinion.

Also, am I correct in assuming that applications running in IIS are not vulnerable?

That's a question for the Windows HTTP.SYS folks. I can't speak for them unfortunately.

I'm asking because the patched library appears to be Kestrel.

Ah! Got you. We know Kestrel was vulnerable, we left looking at and evaluating http.sys, which IIS hosts atop of to Windows, as they own that component. I can't speak for them.

[dauthleikr]

Am I correct in assuming that a self-contained ASP.NET Core application running in IIS is not vulnerable, assuming that IIS is not vulnerable? Or, in other words: Is this vulnerability strictly isolated to the Kestrel webserver, and not a general vulnerability within ASP.NET Core?

[JuergenAuer]

Or, in other words: Is this vulnerability strictly isolated to the Kestrel webserver, and not a general vulnerability within ASP.NET Core?

Unfortunately, that may be wrong in general.

I'm running a web application, IIS InProcess - hosted, no Kestrel used. But I saw a bug creating a notification mail via FirstChanceHandler:

FirstChanceException event raised in own_class: Object reference not set to an instance of an object.,    
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.StringUtilities.TryGetAsciiString(Byte* input, Char* output, Int32 count)

 Method: Void FirstChanceHandler(System.Object, System.Runtime.ExceptionServices.FirstChanceExceptionEventArgs)

   Method: Boolean TryGetAsciiString(Byte*, Char*, Int32)

     Method: System.String GetAsciiOrUTF8StringNonNullCharacters(System.ReadOnlySpan`1[System.Byte], System.Text.Encoding)

       Method: Microsoft.Extensions.Primitives.StringValues get_From()

         Method: Boolean PropertiesTryGetValue(System.String, Microsoft.Extensions.Primitives.StringValues ByRef)

           Method: Microsoft.Extensions.Primitives.StringValues get_Item(System.String)

             Method: Void own_Method()

So Kestrel.Core.Internal.Infrastructure.StringUtilities is used, but the project doesn't use Kestrel. If the bug is in such code blocks, it may affect IIS-hosted applications. Because of own incomplete errors, I don't know which method or property call created that exception. Must be something reading headers, query string or form elements to create a notification mail.

[blowdart]

Am I correct in assuming that a self-contained ASP.NET Core application running in IIS is not vulnerable, assuming that IIS is not vulnerable? Or, in other words: Is this vulnerability strictly isolated to the Kestrel webserver, and not a general vulnerability within ASP.NET Core?

Yes, I think that's a reasonable way to put it.

[philipwhiuk]

But we don't know what's possible because it's dependent on how you've written your app.

Every bug is a critical security vulnerability in this world. If they are writing their app like this then the App has the critical CVE not the library.

Just because you can write this code

if (library.apiCall()) {
   remoteUserCanRunAsRoot = true;
}

it does not mean that apiCall() returning true instead of false is a remote privilege escalation vuln.

[qrli]

Does it assume the gateway/proxy in front of the application is also vulnerable? If the gateway/proxy normalizes the request per strict http 1.1 and only send the normalized requests to upstream, will the upstream ASP.NET Core application still suffer from such attack?

[blowdart]

Does it assume the gateway/proxy in front of the application is also vulnerable? If the gateway/proxy normalizes the request per strict http 1.1 and only send the normalized requests to upstream, will the upstream ASP.NET Core application still suffer from such attack?

We can't assume there's a gateway in front of an application. If such a gateway manages to remove smuggled requests, then the app could never see it, so there wouldn't be a problem.

[blowdart]

But we don't know what's possible because it's dependent on how you've written your app.

Every bug is a critical security vulnerability in this world. If they are writing their app like this then the App has the critical CVE not the library.

Just because you can write this code

if (library.apiCall()) {
   remoteUserCanRunAsRoot = true;
}

it does not mean that apiCall() returning true instead of false is a remote privilege escalation vuln.

This is true, which is why I said it's app dependent. But if we lowered the score, because really for asp.net it doesn't cross trust boundaries it would leave folks vulnerable if their apps were written in ways that exposed them to parsing smuggled requests badly.

That would be a disservice to our users, hence the high score.

[tjbortz1s]

I was not familiar with the concept of request smuggling, and in the context of that unfamiliarity it wasn't clear to me how to go about knowing if an app was vulnerable.

After reading, my understanding is that a scenario that would create this CVE might be:

1. .net core application has a /deletemyaccount and a /viewthisuser endpoint - it does no authentication
2. proxy (nginx, anything really who knows what the specific proxy is) says /viewthisuser can be accessed by anyone, but /deletemyaccount requires basic authentication

The attacker sends a malicious request. It is formed such that:
Nginx sees /viewthisuser - it lets the request through with no issue.
.net sees /deletemyaccount
.net assumes nginx validated /deletemyaccount to be authenticated
.net runs /deletemyaccount

Someone please correct me if I am mistaken, but the big thing to look for is any .net app that relies on an external server for any form of validation or authorization. Middleware "simple" servers that do their own login logic should not be impacted?

[PaulusParssinen]

I recall YARP relying heavily on Kestrel infrastructure so could the logic built-on top of it also be potentially affected by this?

[blowdart]

I recall YARP relying heavily on Kestrel infrastructure so could the logic built-on top of it also be potentially affected by this?

If you update the runtime on your servers Yarp will get the update too. They don't need a separate CVE, or to rebuild, as they're not running atop framework, nor are they self contained.

[adamavis3]

@JuergenAuer I wont tell you if that will 100% solve it, but that looks like you're on the right track. I'd suggest someone stuck in a lower version test before and try to reproduce with burpsuite repeater. If vulnerable, You should be able to see 2 responses come back like:

[egraff]

Is this a fix?

If Not StringValues.IsNullOrEmpty(Request.Headers.TransferEncoding) AndAlso Request.Headers.ContentLength > 0

... stop processing the request.

Could be used with every version. I'm using 8.0.21, so I'm not affected. But if such a check is enough, ...

@JuergenAuer absolutely not! Although there are other request smuggling approaches that rely on the Content-Length header, it is not implicated in this particular vulnerability.

[JuergenAuer]

but that looks like you're on the right track

Looks like the problem is a pure IIS problem.

Installed ncat,

ncat my-online-ip 80 < command-good.txt

with file saved as ASCII and these empty lines

GET / HTTP/1.1
Host: mydomain.de

produced the expected output:

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mydomain.de/
Server: Microsoft-IIS/10.0
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
Date: Fri, 24 Oct 2025 22:11:58 GMT
Content-Length: 0

Used the code from #64033 (comment)

POST / HTTP/1.1
Host: mydomain.de
Content-Length: 13
Transfer-Encoding: chunked

0

GET / HTTP/1.1
Host: localhost
X:

I see two results, two http headers, one without html, the other with html.

HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 24 Oct 2025 22:09:29 GMT
Content-Length: 24

Unzulässige AnforderungHTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 24 Oct 2025 22:09:29 GMT
Connection: close
Content-Length: 311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request</h2>
<hr><p>HTTP Error 400. The request is badly formed.</p>
</BODY></HTML>

PS: @egraff : Yes, it's an IIS problem. Can't be fixed via an application behind IIS.

[adamavis3]

IIS has a flag you can set to mitigate. Get Outlook for Android<https://aka.ms/AAb9ysg> [cid:insurity-email-signature-2024_e538b379-188c-4235-a9ab-964cc780ac9d.jpg] Adam Davis | CSSLP | Director, Application Security T 438-701-2533 [cid:eii2025-signature_efe8207f-b665-489d-8040-b4f64c17be60.jpg]<https://insurity.com/excellence> <https://insurity.com/excellence> <https://insurity.com/excellence> <https://excellence.insurity.com/excellence/p/1>

…

________________________________ From: JuergenAuer ***@***.***> Sent: Friday, October 24, 2025 6:23:30 PM To: dotnet/aspnetcore ***@***.***> Cc: Adam Davis ***@***.***>; Comment ***@***.***> Subject: Re: [dotnet/aspnetcore] Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability (Issue #64033) [https://avatars.githubusercontent.com/u/65248690?s=20&v=4]JuergenAuer left a comment (dotnet/aspnetcore#64033)<#64033 (comment)> but that looks like you're on the right track Looks like the problem is a pure IIS problem. Installed ncat, ncat my-online-ip 80 < command-good.txt with file saved as ASCII and these empty lines GET / HTTP/1.1 Host: mydomain.de produced the expected output: HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://mydomain.de/ Server: Microsoft-IIS/10.0 X-Powered-By: ARR/3.0 X-Powered-By: ASP.NET Date: Fri, 24 Oct 2025 22:11:58 GMT Content-Length: 0 Used the code from #64033 (comment)<#64033 (comment)> POST / HTTP/1.1 Host: mydomain.de Content-Length: 13 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: localhost X: I see two results, two http headers, one without html, the other with html. HTTP/1.1 400 Bad Request Content-Type: text/html Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Fri, 24 Oct 2025 22:09:29 GMT Content-Length: 24 Unzul├ñssige AnforderungHTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Fri, 24 Oct 2025 22:09:29 GMT Connection: close Content-Length: 311 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>Bad Request</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD> <BODY><h2>Bad Request</h2> <hr><p>HTTP Error 400. The request is badly formed.</p> </BODY></HTML> PS: @egraff<https://github.com/egraff> : Yes, it's an IIS problem. Can't be fixed via an application behind IIS. — Reply to this email directly, view it on GitHub<#64033 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZOCGW7QRXQQY5HKTCEGANT3ZKRGFAVCNFSM6AAAAACJFQCKSGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTINBVGA4TSMJTGU>. You are receiving this because you commented.Message ID: ***@***.***>

_____________________________________________________________________________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the intended recipient(s). This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

_____________________________________________________________________________________________________ ~~~Insurity~~~

[ajithvs]

How can this issue be resolved in an Azure Function running in a container? We are using the mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0 runtime image and mcr.microsoft.com/dotnet/sdk:8.0 as build, now the Docker build output includes the vulnerable Microsoft.AspNetCore.Server.Kestrel.Core version 2.2.0, which causes the Aqua scan to fail. When will Microsoft release a patch for this vulnerability? Or any alternative way to fix this issue?

[blowdart]

How can this issue be resolved in an Azure Function running in a container? We are using the mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0 runtime image and mcr.microsoft.com/dotnet/sdk:8.0 as build, now the Docker build output includes the vulnerable Microsoft.AspNetCore.Server.Kestrel.Core version 2.2.0, which causes the Aqua scan to fail. When will Microsoft release a patch for this vulnerability? Or any alternative way to fix this issue?

Functions is behind the same proxy setup as Azure Web Applications, so it's protected in the same way.

Your Microsoft.AspNetCore.Server.Kestrel.Core 2.2.0 is something I saw reported elsewhere and forwarded to the functions team. Whilst it's not a false positive, the file is there, it's never used, not by your code, not by theirs, and they're working on getting it removed.

[andreadottor]

The Azure team has released an update to the HTTP load balancer infrastructure to mitigate the CVE-2025-55315.
https://azure.github.io/AppService/2025/10/20/dotnet-on-windows.html

[andrewlock]

FYI, I wrote a blog post trying to explain this vulnerability in more detail: https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/

It's a pretty long read, but I have seen a lot of confusion in this thread and elsewhere about the specific details of this vulnerability (e.g. it's not a content-length/transfer-encoding confusion attack), so I thought it might be useful for folks.

It covers:

• What is the CVE-2025-55315 vulnerability?
• How does request smuggling work?
• How can an attacker exploit request smuggling?
• Does request smuggling only apply if I have a proxy?
• How does the request smuggling in CVE-2025-55315 work?
  • Transfer-Encoding: chunked and chunk extensions
  • Invalid chunk extensions with incorrect line endings
  • Exploiting invalid chunk extensions for request smuggling
  • How was the vulnerability fixed?
• What should you do?
• How to know if you're affected?

⚠️ I'll repeat the disclaimer here: I'm not a security researcher, I don't work for Microsoft, and I don't have any other information than what's been described in this thread and publicly elsewhere. Please do comment on the post if you see anything incorrect 🙂

[denniselit]

Im running Azure Functions with .NET 8 in isolated worker model using App Service Plan, do I need to take any action? From reading your post @andrewlock it seems like it is handled in Azure (https://azure.github.io/AppService/2025/10/20/dotnet-on-windows.html) right?

[andrewlock]

Im running Azure Functions with .NET 8 in isolated worker model using App Service Plan, do I need to take any action? From reading your post @andrewlock it seems like it is handled in Azure (https://azure.github.io/AppService/2025/10/20/dotnet-on-windows.html) right?

Based on the linked document I assume you're ok, but I'd recommend patching anyway to be on the safe side

[jiruss]

For those asking about IIS, see https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200008 for guidance.

[andrewlock]

@jiruss that document is 5 years old, and as I understand it is related to a different request smuggling vulnerability. I would be very surprised if it mitigates the issue.

As I mentioned at the end of my post, I believe I'm able to trigger the vulnerability with some local testing using WSL and IIS:

# Make sure IIS is listening and serving something:
curl http://192.168.0.1:80

# Send an HTTP request with an invalid chunk extension, to the Windows side and see
# if it times out or if it's rejected with a 400... It times out 🙁 (Make sure to use 
echo -e "GET / HTTP/1.1\r\nHost:\r\nTransfer-Encoding: chunked\r\n\r\n1;\n" \
  | nc 192.168.0.1 80

Just to be sure, I tried setting the DisableRequestSmuggling flag from that document and there was no change in the above behaviour

[jiruss]

@andrewlock Interestingly enough, when I tried your test on my IIS server, the request gets caught by http.sys with 400 bad request WITHOUT setting the flag I mentioned above so I am not sure what you are hitting

C:\Users\jiruss>echo GET / HTTP/1.1\r\nHost:\r\nTransfer-Encoding: chunked\r\n\r\n1; | ncat 192.168.1.26 80
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 31 Oct 2025 21:14:33 GMT
Connection: close
Content-Length: 311

<TITLE>Bad Request</TITLE>

Bad Request

---

HTTP Error 400. The request is badly formed.

[andrewlock]

@jiruss You're missing the -e argument for echo, without it, the \n and \r don't get interpreted properly 🙂 (If I omit it then I get the same 400 Bad Request

[AdmiralSnyder]

"ill there be a newer version of the
Microsoft.AspNetCore.Server.Kestrel package that contains the Microsoft.AspNetCore.Server.Kestrel.Core 2.3.6 fixes?

we're referencing the former, and i'm not certain that the latter is actually picked (probably not super high prio, since we only use it in playwright tests)