{
  "threat_severity" : "Important",
  "public_date" : "2025-10-15T12:58:31Z",
  "bugzilla" : {
    "description" : "dotnet: .NET Security Feature Bypass Vulnerability",
    "id" : "2403085",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2403085"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.", "A flaw was found in ASP.NET Core’s HTTP request handling that leads to inconsistent interpretation of specially crafted HTTP requests. This mismatch can be abused by an authorized network attacker to smuggle or manipulate request boundaries, allowing bypass of security controls or unintended forwarding of request data." ],
  "statement" : "The Red Hat Product Security team has assessed this issue as Important. An authorized network attacker can exploit inconsistent HTTP request parsing in ASP.NET Core to bypass security controls (HTTP request smuggling), potentially exposing or enabling unauthorized actions on request data in affected .NET runtimes.\n```\n.NET 6.0 for RHEL-8, RHEL-9 and RHIVOS has reached its End of Life as of November 12, 2024, and is no longer supported. No fixes will be provided for this stream. For additional information about lifecycle for .NET on Red Hat Enterprise Linux, please refer to: https://access.redhat.com/support/policy/updates/net-core.\n```",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18152",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "dotnet8.0-0:8.0.121-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18153",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "dotnet9.0-0:9.0.111-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHBA-2025:20993",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet10.0-0:10.0.100~rc.2.25502.107-0.12.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18148",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.121-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18150",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet9.0-0:9.0.111-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHBA-2025:20916",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet10.0-0:10.0.100~rc.2.25502.107-0.10.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18149",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.121-1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18151",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet9.0-0:9.0.111-1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-10-16T00:00:00Z",
    "advisory" : "RHSA-2025:18256",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "dotnet8.0-0:8.0.121-1.el9_4"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:9080",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet8-0-main-8.0.126-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-21T00:00:00Z",
    "advisory" : "RHSA-2026:9205",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet9-0-main-9.0.116-1.hum1"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.25",
    "release_date" : "2025-12-15T00:00:00Z",
    "advisory" : "RHSA-2025:23225",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.25::el9",
    "package" : "devspaces/udi-rhel9:3.25.0-1765582207"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "dotnet10.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55315\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55315" ],
  "name" : "CVE-2025-55315",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}