Does the CVE-2025-55315 request smuggling impact ODC? See https://github.com/dotnet/aspnetcore/issues/64033 If so, is it already patched?
We have analyzed CVE-2025-55315. The ODC Platform itself is not vulnerable. The potential exposure applies only to customer applications that use custom code compiled against affected .NET versions. If your applications rely on Custom Code, ensure you update to the latest .NET security release from Microsoft. We will publish further guidance on the Security Portal and notify here when available.
Hi Marcel,
Very good question, we've asked OutSystems to give an official reply.
Hello Kilian,Did you already had a reaction?When looking in https://security.outsystems.com/ i do not see anything.When looking at https://success.outsystems.com/support/release_notes/outsystems_developer_cloud_releases/outsystems_developer_cloud/ the .net version is 8.0.20 which is vulnerable.But we don't know if this is the case for ODC.
Unfortunately not, but we've asked OutSystems again to give a formal reply yesterday.
This vulnerability affects ASP.NET Core’s Kestrel web server, which mishandles certain chunked transfer-encoding requests. It’s a type of HTTP request smuggling, where different systems (like a proxy and backend) interpret the same request differently - letting attackers sneak extra requests past normal checks.
In short, Kestrel’s HTTP/1.1 parser didn’t properly validate some chunked encoding edge cases.
Fix: upgrade to .NET 8.0.21 or later, though for ODC this must be confirmed and applied by OutSystems.
Mitigations: disable HTTP/1.1 or use a reverse proxy (like NGINX) that re-encodes requests before sending them to the backend.
No impact on OutSystems 11, as it uses IIS and the .NET Framework, not Kestrel.