Intro

A critical HTTP request smuggling vulnerability (CVE-2025-55315) has been identified in Microsoft’s ASP.NET Core platform, specifically in the Kestrel web server. This flaw allows attackers to bypass request boundaries and inject hidden HTTP requests, potentially enabling session hijacking, cache poisoning, or unauthorized actions. No public exploit has been confirmed yet, but patching is urgent and detection readiness should be treated as mission-critical.

📌 CVE Context

Products Affected:
– ASP.NET Core Runtime 8.0.x
– ASP.NET Core Runtime 9.0.x
– ASP.NET Core 10.0 (Release Candidate)
– Microsoft.AspNetCore.Server.Kestrel.Core and Microsoft.AspNetCore.App.Runtime (Linux, macOS, Windows)

Disclosure Timeline:
– Vendor notification: Private timeline
– Public advisory: October 14, 2025
– Patched via .NET updates: October 15–18, 2025

Attack Vector and Scope:
– Exploit type: HTTP request smuggling (CWE-444)
– Access: Low privileges required
– Pre-auth: No
– Scope: Changed – attacker gains influence over different trust boundary

CVSS Metric Breakdown (v4.0) - CVE-2025-55315 (Kestrel HTTP Request Smuggling)
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): Medium
Scope Changed (SC): Changed
Safety Impact (SI): None
Automation (SA): Low
Exploit Maturity: Unproven
Base Score: 9.9 (Critical)

Exploit Toolkit: None observed publicly
Payloads: Smuggled HTTP requests with conflicting Content-Length and Transfer-Encoding headers
Victims: No public disclosures yet
Global Exposure: Unknown – cloud-hosted ASP.NET Core apps using Kestrel directly or behind misconfigured reverse proxies are at risk

🔬 Exploitation Detail

1. Attacker crafts a malicious HTTP request containing both Content-Length and Transfer-Encoding: chunked headers.
2. The front-end proxy (e.g., NGINX or cloud load balancer) interprets and forwards the request one way.
3. The Kestrel server interprets it differently, processing part of it as a separate hidden request.
4. The second request is smuggled into the back-end undetected by front-end security tools.

POST /login HTTP/1.1
Host: victim.com
Content-Length: 48
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: victim.com

📎 Attacker Behavior Snapshot

Sent: Dual-encoded HTTP request with conflicting headers
System Reaction: Frontend routes request normally; Kestrel extracts and processes second request
Unexpected Output: Elevated access without logs of second request in the proxy; may reveal session data, API keys, or debug responses

🧪 Detection Rules

rule Suspicious_HTTP_Dual_Header
{
  meta:
    description = "Detects HTTP request smuggling attempts using both Transfer-Encoding and Content-Length headers"
    author = "SOC DFIR"
    reference = "CVE-2025-55315"
  strings:
    $te = "Transfer-Encoding: chunked"
    $cl = "Content-Length: "
  condition:
    $te and $cl
}

alert http any any -> any any (
  msg:"Suspicious HTTP dual header - possible request smuggling";
  content:"Transfer-Encoding|3A| chunked"; http_header;
  content:"Content-Length|3A|"; http_header;
  classtype:web-application-attack;
  sid:5531501; rev:1;
)

title: Suspicious Dual-Encoding in HTTP Headers
id: b5c06b20-accf-41fc-9a30-a70b6c80dc44
status: experimental
description: Detects possible HTTP request smuggling attempts by identifying requests with both Transfer-Encoding and Content-Length headers
logsource:
  product: webserver
  service: aspnet-core
detection:
  selection:
    http.request.header|contains:
      - "Transfer-Encoding: chunked"
    http.request.header|contains:
      - "Content-Length"
  condition: selection
level: high
tags:
  - attack.t1190
  - cve.2025.55315

⚡ Splunk Query

index=<your_index> sourcetype=<your_sourcetype>
"Transfer-Encoding: chunked" AND "Content-Length"
| stats count by src_ip, uri_path, http_method, _time

🛠️ SOC Detection Strategy

Tier 1: Look for odd combinations of HTTP headers, unexpected POST behavior to GET endpoints
Tier 2: Correlate duplicate session tokens or repeated requests from the same IP with different endpoints
Tier 3: Analyze application logs vs reverse proxy logs – smuggled requests may show in one but not the other

Sample Alert:
“Suspicious HTTP dual-header combo detected – potential Kestrel request smuggling (CVE-2025-55315)”

🔐 Hardening & Mitigation

Patch: Update to ASP.NET Core versions with patched Kestrel
– 8.0.21 or higher
– 9.0.10 or higher
– Apply latest 10.0 RC if using preview builds

Temporary Mitigations:
– Block HTTP requests with both Content-Length and Transfer-Encoding headers via WAF or reverse proxy
– Enforce header normalization
– Log and drop chunked requests from untrusted sources

Post-Patch Cleanup:
– Restart backend services
– Rotate API keys and access tokens
– Revalidate sessions

📋 Incident Response Snippets

# Splunk
"Transfer-Encoding: chunked" AND "Content-Length"

# KQL
HttpRequest | where Header has "Transfer-Encoding" and Header has "Content-Length"

# grep
grep -Ei "Transfer-Encoding.*chunked" access.log | grep -i "Content-Length"

IR Questions:
– Was any admin functionality accessed without logging?
– Are requests showing mismatched headers?
– Do reverse proxy logs differ from app logs?

Hunt For:
– Unexpected HTTP methods
– Content-Length mismatches
– Shadow requests in session logs

Cleanup:
– Revoke suspect tokens
– Reset auth cookies
– Review proxy and app configs for parsing inconsistencies

📚 Suggested Reading & External References

– https://github.com/dotnet/announcements/issues/371
– https://github.com/advisories/GHSA-5rrx-jjjq-q2r5
– https://nvd.nist.gov/vuln/detail/CVE-2025-55315
– https://www.cvedetails.com/cve/CVE-2025-55315

🚑 EMS Lens: Field Insight

When intake and triage are split across systems – like a proxy and backend – missing symptoms can hide in the cracks. Request smuggling is the security equivalent of hearing one thing in the radio report and seeing another on arrival. SOC teams need clear escalation flags when HTTP anomalies show up, even without volume. Fatigue, weak handoffs, or skipped logs make this harder – but a single missed request can open the door to abuse. Shift-level pattern reviews matter.

🧾 Final Thoughts

This bug hijacks trust between frontend and backend HTTP parsers – letting the attacker slip in a second request under the radar.
Patch Kestrel immediately and deploy header validation to block dual-encoded HTTP anomalies.

Published: October 22, 2025