Microsoft ASP.NET Core Security Feature Bypass Vulnerability Allowing HTTP Request Smuggling

A security feature bypass vulnerability has been identified in ASP.NET Core, specifically in versions 2.3, 8.0, 9.0, and within Microsoft Visual Studio 2022 versions 17.10, 17.12, and 17.14. This vulnerability arises from an inconsistent interpretation of HTTP requests, allowing an authorized attacker to smuggle HTTP requests and bypass front-end security controls over the network. Successful exploitation could lead to hijacking other users' credentials or causing a crash on the server.

Impact

Exploitation of this vulnerability could bypass security features, allowing for HTTP request smuggling that could hijack user credentials or disrupt server availability.

Remediation

Users can update to the latest version of ASP.NET Core or Microsoft Visual Studio 2022. For ASP.NET Core 2.3, update the package reference to version 2.3.6, recompile, and redeploy the application. For versions 8.0 and 9.0, download the security update from the .NET website. Visual Studio users can download the security update from the Visual Studio Download Center.