CVE-2025-24070: Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability

March 11, 2025 (updated May 6, 2025)

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user’s account, resulting in Elevation of Privilege.

References

github.com/advisories/GHSA-2865-hh9g-w894
github.com/dotnet/aspnetcore
github.com/dotnet/aspnetcore/security/advisories/GHSA-2865-hh9g-w894
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070
nvd.nist.gov/vuln/detail/CVE-2025-24070
www.herodevs.com/vulnerability-directory/cve-2025-24070

Code Behaviors & Features

Detect and mitigate CVE-2025-24070 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →