It sounds like this is anything built upon Kestrel which is a lot. I was going t...

nirvana99 · 2025-10-28T12:27:09 1761654429

ASP.NET Core:

>= 6.0.0 <= 6.0.36

>= 8.0.0 <= 8.0.20

>= 9.0.0 <= 9.0.9

<= 10.0.0-rc.1

Microsoft.AspNetCore.Server.Kestrel.Core:

<= 2.3.0

Uvix · 2025-10-28T12:49:55 1761655795

Those are just the ones they're fixing. Versions <6.0 are still vulnerable, they're just not getting patched because they're out of support.

ozim · 2025-10-28T13:07:18 1761656838

Don't use out of support software or at least don't use out of support software exposed to the internet.

pixl97 · 2025-10-28T14:40:46 1761662446

Internal attacks are easy enough in a large enough network.

haydenbarnes · 2025-10-28T14:42:50 1761662570

>= 6.0.0 <= 6.0.36 versions are not being fixed by Microsoft.

Fixes are available for .NET 6 from HeroDevs ongoing security support for .NET 6, called NES* for .NET.

*never ending support

Bluescreenbuddy · 2025-10-28T20:12:24 1761682344

7 is also EOL. It did not receive a patch. Last time it was updated was May 2024