Hayden Barnes and CVE-2025-33515

Nov 21, 2025

Hayden Barnes, a security-focused .NET developer and consultant with HeroDevs, explains a critical ASP.NET vulnerability CVE-2025-55315. He breaks down how HTTP chunk parsing and CRLF quirks enable request smuggling. He covers which runtimes are affected, why scanners can miss older installs, short-term mitigations, and options for post‑EOL patching and upgrades.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Chunked Metadata Parsing Causes Wide Risk

CVE-2025-55315 is a severe HTTP/1 chunked parsing vulnerability rated 9.9 that affects many web frameworks including ASP.NET.
The bug stems from ambiguous CR/LF handling in chunk metadata, enabling request smuggling across proxies and servers.

INSIGHT

Inconsistent Parsers Enable Smuggling

Different proxies and runtimes handle chunk extensions differently, so behavior is inconsistent across the internet.
That inconsistency is why malformed chunked requests can be split or smuggled past filters into backend servers.

ADVICE

Upgrade To Patched .NET Versions

Upgrade immediately to patched .NET 8, 9, or 10 runtimes and Kestrel to receive the official fix.
Rebuild and redeploy runtimes/containers so your production instances run the corrected versions.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Show Notes

Hey everyone, and welcome back to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. I'm your host Jamie Taylor, bringing you conversations with the brightest minds in the .NET ecosystem.

This episode is a super important, top-of-the-heap, bonus episode that you definitely need to be listening to.

I, basically, reached out to Hayden Barnes, who we've just now had on the show to talk about .NET never-ending support and what happens when you drop out of support with Microsoft. The reason that I did that, and the reason that this intro is so raw is because we talked about what is known as "the worst CVE for the internet as a whole. If you want to Google it while we're talking right now, look for "CVE 2025-55315". We'll get into it in a moment, but pretty much everything on the internet is susceptible to this, and only .NET 8, 9, and 10 have a fix. Nothing else has a fix in the. NET space.

You will find out in this episode what it is, what problems it can cause you, and how to solve those problems. Please stick around and listen, folks.

Thank you, Matt, the editor, for putting this together so quickly. Anyway, on with the episode.

I'm not even going to do the dotnet new podcast thing. It's that important.

Full Show Notes

The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-8/hayden-barnes-and-cve-2025-55315

About the CVE:

Hero Devs

Hayden's links

Supporting the show:

Getting in touch:

Miscellaneous links:

Podcast editing services provided by Matthew Bliss
Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show
Editing and post-production services for this episode were provided by MB Podcast Services

Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend.

And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch.

You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.

Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show.

Editing and post-production services for this episode were provided by MB Podcast Services.