CRLF parsing enables request smuggling

Show Notes

Hey everyone, and welcome back to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. I'm your host Jamie Taylor, bringing you conversations with the brightest minds in the .NET ecosystem.

This episode is a super important, top-of-the-heap, bonus episode that you definitely need to be listening to.

I, basically, reached out to Hayden Barnes, who we've just now had on the show to talk about .NET never-ending support and what happens when you drop out of support with Microsoft. The reason that I did that, and the reason that this intro is so raw is because we talked about what is known as "the worst CVE for the internet as a whole. If you want to Google it while we're talking right now, look for "CVE 2025-55315". We'll get into it in a moment, but pretty much everything on the internet is susceptible to this, and only .NET 8, 9, and 10 have a fix. Nothing else has a fix in the. NET space.

You will find out in this episode what it is, what problems it can cause you, and how to solve those problems. Please stick around and listen, folks.

Thank you, Matt, the editor, for putting this together so quickly. Anyway, on with the episode.

I'm not even going to do the dotnet new podcast thing. It's that important.

Full Show Notes

The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-8/hayden-barnes-and-cve-2025-55315

About the CVE:

• Understanding CVE-2025-55315: What CISOs, security engineers, and sysadmins should know
• ASP.NET Security Feature Bypass Vulnerability
• Funky chunks: abusing ambiguous chunk line terminators for request smuggling
• Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315

Hero Devs

• on X
• on YouTube
• on LinkedIn

Hayden's links

• on X
• on LinkedIn
• on his blog

Supporting the show:

• Leave a rating or review
• Buy the show a coffee
• Become a patron

Getting in touch:

• via the contact page
• joining the Discord

Miscellaneous links:

• Podcast editing services provided by Matthew Bliss
• Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show
• Editing and post-production services for this episode were provided by MB Podcast Services

Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend.

And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch.

You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.

Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show.

Editing and post-production services for this episode were provided by MB Podcast Services.