Microsoft’s October Patch Tuesday updates addressed a critical-severity vulnerability in the ASP.NET Core open source web development framework.
Tracked as CVE-2025-55315, the flaw has a CVSS score of 9.9, which .NET security program manager Barry Dorrans says was the “highest ever” for an ASP.NET Core issue.
The issue is described as an HTTP request smuggling bug that could be used to bypass a security feature over the network. It was discovered in Kestrel, ASP.NET Core’s built-in web server.
https://www.securityweek.com/highest-ev ... erability/