Detections
Analytics

CVE-2025-55315

critical

Description

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315

https://www.securityweek.com/qnap-netbak-pc-agent-affected-by-recent-asp-net-core-vulnerability/

https://securityaffairs.com/183951/security/critical-asp-net-flaw-hits-qnap-netbak-pc-agent.html

https://www.bleepingcomputer.com/news/security/qnap-warns-its-windows-backup-software-is-also-affected-by-critical-aspnet-flaw/

https://www.securityweek.com/highest-ever-severity-score-assigned-by-microsoft-to-asp-net-core-vulnerability/

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-highest-severity-aspnet-core-flaw-ever/

https://www.theregister.com/2025/10/16/microsoft_aspnet_core_vulnerability/

https://www.helpnetsecurity.com/2025/10/15/microsoft-patch-tuesday-zero-days-cve-2025-24990-cve-2025-59230-cve-2025-47827/

https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html

https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/

https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040

Details

Source: Mitre, NVD

Published: 2025-10-14

Updated: 2025-10-28

Risk Information

CVSS v2

Base Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:P

Severity: High

CVSS v3

Base Score: 9.9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Severity: Critical

EPSS

EPSS: 0.00038

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored