CVE-2025-55315

CVE Database · CVE-2025-55315

CVE-2025-55315

· CRITICALModified

CVSS v3.1

9.9

EPSS

66.26%

Published

Oct 14, 2025

Modified

Oct 28, 2025

Public PoC / Exploit (2)

All weaponized →

Exploit-DBASP.net 8.0.10 - Bypass TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Weaknesses (CWE)

CWE-444

Affected Products (6)

microsoft · asp.net_core (up to 2.3.6)vulnerable

microsoft · asp.net_core (up to 8.0.21)vulnerable

microsoft · asp.net_core (up to 9.0.10)vulnerable

microsoft · visual_studio_2022 (up to 17.10.20)vulnerable

microsoft · visual_studio_2022 (up to 17.12.13)vulnerable

microsoft · visual_studio_2022 (up to 17.14.17)vulnerable

References (3)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315

Vendor Advisory

https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/

https://gist.github.com/N3mes1s/d0897c13ca199e739ecc2b562f466040

KEV Catalog EPSS Scores Vendors All CVEs