-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability, identified as CVE-2025-55248, allows a man-in-the-middle attacker to downgrade a TLS connection to plaintext during SMTP communication in .NET applications using SmtpClient. By analyzing the commits between the vulnerable versions (v9.0.9, v8.0.20) and the patched versions (v9.0.10, v8.0.21) of the dotnet/runtime repository, I identified the exact code change that mitigates this vulnerability. The fix is located in the SendHello method within the System.Net.Mail.SmtpConnection class. Before the patch, if a server did not respond to the EHLO command (which is required to negotiate TLS via STARTTLS), the client would insecurely fall back to the older HELO command, even if EnableSsl was set to true. This would cause credentials and email data to be sent unencrypted. The patch, introduced in commits like 18e28d767acf44208afa6c4e2e67a10c65e9647e and 44527b9ed8427463578126a4494c3654dda11866, adds a check at the beginning of SendHello. This check throws an exception if EnableSsl is true, thus preventing the insecure downgrade and ensuring the connection is terminated if a secure channel cannot be established. Therefore, the System.Net.Mail.SmtpConnection.SendHello function is the direct location of the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Microsoft.NetCore.App.Runtime.linux-arm | nuget | >= 9.0.0, < 9.0.10 | 9.0.10 |
Ongoing coverage of React2Shell