Recent changes in how Kestrel processes HTTP/2 frames created an opportunity for request smuggling when front-end proxies and the application server disagree on request boundaries. Sites running older builds of ASP.NET Core 9 and early .NET 10 previews remain exposed until patched.
Attackers who can reach the edge can craft frames that cause the backend to interpret subsequent requests as part of the prior one, bypassing authentication and authorization checks. The issue surfaces most often behind reverse proxies that reuse connections.
#Who Is Affected
Production workloads using Kestrel directly or behind IIS with HTTP/2 enabled on Windows Server 2022/2025 are the primary targets. Applications still on .NET 8 or the first .NET 9 servicing releases without the July 2026 cumulative update inherit the defect.
#Immediate Mitigation Steps
- Upgrade to the latest GA .NET 10 SDK and runtime or apply the corresponding .NET 9 patch.
- Disable HTTP/2 on Kestrel unless your proxy stack has been validated against the updated behavior.
- Add KestrelServerOptions to enforce strict header limits and reject duplicate headers.
webBuilder.UseKestrel(options =>
{
options.Limits.Http2.HeaderTableSize = 4096;
options.Limits.MaxRequestHeadersTotalSize = 32768;
options.AllowSynchronousIO = false;
});
#Proxy and IIS Configuration
When IIS acts as the reverse proxy, ensure the ARR module and URL Rewrite rules strip or normalize hop-by-hop headers before forwarding. Disable HTTP/2 on the IIS site binding if the backend remains on an unpatched runtime.
- Require TLS 1.3 minimum on both proxy and application server.
- Enable request logging at the proxy layer to detect anomalous frame sequences.
#Verification
After patching, run a controlled test with a tool that replays crafted HTTP/2 frames and confirm the server returns 400 on malformed sequences. Monitor the Windows event log for new Kestrel warning entries.
Apply the update, tighten header validation, and retest proxy behavior within the next maintenance window. These steps eliminate the smuggling vector on current .NET stacks.
Comments
No comments yet