CVE-2025-55315

ASP.NET Core versions 3.0 through 7.0, and Kestrel ≤ 2.3.0

This vulnerability (CVE-2025-55315) is a critical HTTP request smuggling flaw in ASP.NET Core's Kestrel web server. It arises from inconsistent interpretation of HTTP requests, allowing an attacker to smuggle requests and potentially bypass security controls. This can lead to unauthorized access, data manipulation, and potentially remote code execution. The vulnerability is rated with the highest severity score (9.9) and is considered a significant risk. The flaw exists due to inconsistencies in how Kestrel parses HTTP requests, specifically with chunked encoding. Exploitation can allow attackers to hijack user sessions, conduct cross-site scripting (XSS) attacks, and potentially gain unauthorized access to sensitive data. The vulnerability affects QNAP NetBak PC Agent as well.

Apply the latest security update released by Microsoft to address this vulnerability. Ensure all ASP.NET Core components, including Kestrel, are updated to the latest versions. If using QNAP NetBak PC Agent, reinstall the application to apply the necessary patches. Review and update request handling logic to mitigate potential risks.