Another Story for another day

Vulnerability Details

According to the vulnerability report (CVE-2025-55315), this is a critical HTTP Request Smuggling vulnerability in ASP.NET Core.

• Vulnerable Runtime Versions: ASP.NET Core 8.0 versions up to and including 8.0.20 are affected.

• Patched Runtime Version: The vulnerability is fixed in version 8.0.21 and newer.

• Patched SDK Version: The patched runtime is included in the .NET SDK starting with version 8.0.318.

Analysis of Your Dockerfile

1. Runtime Image (base and final stages) - 🔴 VULNERABLE

   • You are using: FROM mcr.microsoft.com/dotnet/aspnet:8.0.13-bookworm-slim AS base

   • Analysis: Your runtime version is 8.0.13. This is older than the patched version (8.0.21), so your final containerized application is vulnerable to CVE-2025-55315.

2. SDK Image (build stage) - 🟢 NOT VULNERABLE

   • You are using: FROM mcr.microsoft.com/dotnet/sdk:8.0.406-bookworm-slim AS build

1. • Analysis: You are correct to be concerned about the "build time" environment. However, your SDK version is 8.0.406. This is newer than the patched SDK 8.0.318, which means your build image already contains the secure runtime and is not vulnerable to this specific CVE.

Recommended Action

You must update your aspnet base image.

While your SDK image is safe from this specific CVE, it is a security best practice to use floating tags (like 8.0) instead of pinned patch versions (like 8.0.13 or 8.0.406). This ensures you automatically pick up the latest security patches whenever you build your image.

You can automate gradual traffic shifting for your Container App using a multi-stage Azure DevOps YAML pipeline. The core idea is to leverage the Azure CLI to deploy a new revision and then programmatically adjust the traffic percentages between the old and new revisions.

This strategy is commonly known as a canary release or a blue-green deployment.

Here’s how you can set it up, from the overall plan to a concrete YAML example.

The Automation Plan

The pipeline will execute in distinct stages:

1. Build & Push: Build your new container image and push it to your Azure Container Registry (ACR).

2. Deploy New Revision (Inactive): Deploy the new image to your Container App. This creates a new revision, but you'll initially assign it 0% of the traffic. This makes it live but "inactive."

3. Warm-up & Initial Shift: Wait for the new revision to start up and then shift a small amount of traffic to it (e.g., 10%). At this point, you have two revisions serving traffic.

1. Monitor & Approve: Pause the pipeline for a set time (or for a manual approval). This gives you a window to monitor logs and metrics in Application Insights to ensure the new revision is healthy.

2. Gradual Increase: After validation, continue shifting traffic in increments (e.g., to 50%, then 100%).

3. Finalize & Deactivate: Once the new revision is handling 100% of the traffic, deactivate the old revision to save resources.