CVE-2025-55315 -- .NET Security Feature Bypass Vulnerability

[dbelcham]

Describe the bug

Description

Microsoft announced a Security Advisory for CVE-2025-55315 earlier today. This appears to be related to .NET Core, Kestrel, and self-contained apps.

Has Particular validated ServicePulse (probably ServiceControl too since it exposes http endpoints) against this advisory and, if so, what is the advice with regards to the deployment and/or patching of these two tools?

Expected behavior

Actual behavior

Versions

Latest

Steps to reproduce

None...this is a request for thoughts on any possible impact this security advisory could have on the platform tools

Relevant log output

Additional Information

Workarounds

Possible solutions

Additional information

[helenktsai]

Hi @dbelcham,

Thanks for reporting this. This is on our radar and we have confirmed that the Platform uses an impacted runtime version. This will be addressed in a release as part of our monthly patch releases after Microsoft announces a new runtime.

We've looked into the CVE and it involves authorized users gaining privileges they shouldn't have. Since the Platform doesn't have an authorization layer, this CVE doesn't create additional risk.