INFSA-2025:18153: .NET 9.0 security update
Information about definition
Identificator: INFSA-2025:18153
Type: security
Release date: 2025-10-31 13:59:15 UTC
Information about package
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.111 and .NET Runtime 9.0.10.
Vulnerabilities description
- CVE-2025-55247
A flaw was found in MSBuild’s temporary directory handling on Linux where predictable, non-randomized temporary paths are used. Local users can create or manipulate those paths before MSBuild runs, causing build failures or unexpected behavior and resulting in denial of service for build operations.
- CVE-2025-55248
A flaw exists in certain .NET builds where a man-in-the-middle (MITM) attacker can prevent or downgrade TLS between a client and an SMTP server. This may cause the client to send credentials or message data over an unencrypted connection, exposing sensitive information to the attacker.
- CVE-2025-55315
A flaw was found in ASP.NET Core’s HTTP request handling that leads to inconsistent interpretation of specially crafted HTTP requests. This mismatch can be abused by an authorized network attacker to smuggle or manipulate request boundaries, allowing bypass of security controls or unintended forwarding of request data.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-55247
|
no information | 7.3 | no information |
|
NIST — CVE-2025-55248
|
no information | 8.2 | no information |
|
NIST — CVE-2025-55315
|
no information | 8.5 | no information |
Updated packages
Preparing to download...