Microsoft has fixed a dangerous vulnerability in Kestrel web server for ASP.NET Core . It has been assigned the identifier CVE-2025-55315. The flaw allows an attacker logged in with a valid account to inject an additional request, thereby hijacking other users’ sessions or bypassing external security filters.
The official description emphasizes that the attack can lead to the leak of confidential data, including user credentials, modification of files on the server, and a server crash with subsequent impact on resource availability.
To address the vulnerability, Microsoft has provided clear recommendations for different platform versions and deployment methods. Users of .NET 8 and later builds should install the update via Microsoft Update and then restart the application or simply restart the computer.
For ASP.NET Core 2.3, you need to update the Microsoft.AspNet.Server.Kestrel.Core package reference to version 2.3.6, then rebuild and republish the project. The accompanying documentation specifically states that for the 2.x branch, you also need to update the Microsoft.AspNetCore.Server.Kestrel.Core package, rebuild, and redeploy the application.
For standalone or single-file applications, the steps are the same: install the platform update, rebuild, and reinstall the executables. Security patches were released simultaneously for Microsoft Visual Studio 2022, ASP.NET Core 2.3, 8.0, and 9.0.
Barry Dorrance, .NET security program manager, explained that the consequences of exploitation depend on the architecture of the specific web application . The vulnerability potentially allows an attacker to authenticate with a false identity, initiate hidden internal requests, implement SSRF, bypass CSRF protection, or perform injections.
The risk assessment was based on a worst-case scenario: a security feature bypass that would compromise the functionality of built-in security mechanisms . While the likelihood of such a scenario occurring in typical projects with adequate request validation is low, Microsoft strongly recommends all users install the update.
Microsoft’s October patch cycle was particularly extensive: the company released patches for 172 vulnerabilities, eight of which were deemed critical and six were zero-day vulnerabilities, three of which had already been actively exploited in attacks.
Around the same time, KB5066791, a cumulative update that included the final security patches for Windows 10, was released after official support for the system ended.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
