October 28, 2025

Smuggled requests, smuggled drama

Article URL →HN comments →

Understanding the Worst .NET Vulnerability

Microsoft’s 9.9 scare: sneaky web messages, dev panic, and an epic patch race

TLDR: Microsoft patched a .NET flaw that lets sneaky extra web requests slip through, rated a scary 9.9. Devs split between panic over how widespread it is and practical advice to patch and test with proxies, while memes cheer on Andrew Lock’s explainer—because your app’s setup really decides the risk.

Patch Tuesday served chaos: Microsoft tagged a .NET flaw with a 9.9 out of 10 severity score, meaning attackers could sneak a hidden web request inside a normal one—like sliding a secret note into an envelope—and possibly bypass protections. In his explainer, Andrew Lock says the real danger depends on how your app handles requests, which only turned up the community heat. The mood? Half panic, half eye-roll.

One camp is convinced the blast radius is huge: “anything built upon Kestrel” (the default .NET web server) made folks gasp and start listing… and then stop with a “holy cow.” Another camp claps back with sober warnings: not using a proxy doesn’t make you safe, and environments with different proxy setups can fool you, as the advisory hints. Meanwhile, dev fatigue memes landed hard: opening Visual Studio only to be told your fresh project already has “vulnerabilities” became the day’s mood board.

There’s drama over whether the 9.9 score is terrifying or just a wake-up call to patch and test like you mean it. And sprinkled over the panic is fanboy energy: “I’m a simple man. I see Andrew Lock, I upvote.” Verdict from the trenches: patch everything, test through your real proxy, and keep the memes coming.

Key Points

  • Microsoft disclosed CVE-2025-55315 on October 14, 2025 and released patches for all supported .NET versions.
  • The vulnerability involves inconsistent HTTP request interpretation in ASP.NET Core, enabling request/response smuggling.
  • Microsoft assigned a CVSS score of 9.9, reflecting potential application-level impacts.
  • Possible outcomes of exploitation include EOP, SSRF, CSRF bypasses, and injection attacks, depending on app logic.
  • The article urges patching and cautions that manual request stream handling in ASP.NET Core may increase risk even without a proxy.

Hottest takes

"The solution contains packages with vulnerabilities" — r0x0r007
"It sounds like this is anything built upon Kestrel which is a lot" — forksspoons
"Just not using a proxy does not mean you're automatically safe" — fabian2k

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.