Critical HTTP Request Smuggling in ASP.NET Core 8.0.10 Enables Auth Bypass, Session Hijacking, and SSRF
What Happened – A public exploit (EDB‑52492) demonstrates a critical HTTP Request Smuggling flaw (CVE‑2025‑55315) in unpatched ASP.NET Core 8.0.10/Kestrel. A single malformed chunked request can bypass authentication, steal session cookies, and reach internal services such as cloud metadata endpoints.
Why It Matters for TPRM –
- The vulnerability is network‑reachable and can be weaponised by any remote adversary without credentials.
- Successful exploitation gives attackers unrestricted access to any third‑party application that relies on the vulnerable ASP.NET component, potentially exposing customer data.
- Many SaaS, ERP, and custom web portals still run on ASP.NET 8.0.10, making the risk broadly applicable across supply‑chain relationships.
Who Is Affected – Organizations that host or consume web applications built on ASP.NET Core 8.0.10 (or earlier) across all verticals – finance, healthcare, retail, government, etc.
Recommended Actions –
- Verify the ASP.NET version of all third‑party web services and internal applications.
- Apply the Microsoft patch (ASP.NET 9.0.1 or 8.0.10+ released Oct 2025) immediately.
- Conduct request‑smuggling testing on any remaining legacy instances.
- Review WAF rules for “chunked” header handling and enforce strict validation.
Technical Notes – The exploit abuses malformed chunk extensions with LF‑only line endings, causing Kestrel to desynchronize request parsing. Attack vector: remote HTTP/HTTPS request. Impacted data: authentication tokens, session cookies, and any data reachable via SSRF (e.g., AWS metadata). Patched in .NET 9.0.1 and ASP.NET 8.0.10+ (Oct 2025). Source: https://www.exploit-db.com/exploits/52492