I admit, that's a very click-baity headline, but Microsoft have given the vulnerability a CVSS score of 9.9, their highest ever. Time to panic, right?
In this post I try to provide a bit more context. I explain how request smuggling vulnerabilities work in general, how it works in this case, what attackers could use it for, how the vulnerability was fixed, what you can do to protect yourself.
WARNING: I am not a security professional, so do not take anything in this post as gospel or advice. I'm just a developer trying to make sense of things. 😄 All of the details in this post are based on information that was provided or referenced in the original announcement.
On October 14th 2025, on a standard Microsoft "patch Tuesday", Microsoft released new versions of all their supported versions of .NET, and also published a security advisory: Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability. The high level summary from that announcement said:
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
The advice was "patch all of your things", but the real headline was that this vulnerability was given a CVSS score of 9.9 our of 10, which you know, sounds pretty bad! Barry Dorrans AKA blowdart, .NET security head honcho, gave an explanation of the reasoning behind the score in a comment on the original issue:
The bug enables HTTP Request Smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things... Instead, we score based ~~~~h~~ow~~ the bug might affect applications built on top of ASP.NET. Request Smuggling allows an attacker to hide an extra request inside an another, and what that hidden request can do is very application specific. The smuggled request could cause your application code to Login as a different user (EOP)
Make an internal request (SSRF)
Bypass CSRF checks
Perform an injection attack But we don't know what's possible because it's dependent on how you've written your app.
... continue reading