Appearance
MET-2025-004
ASP.NET (CVE-2025-55315)
Skip to content
| Bulletin ID | MET-2025-004 |
|---|---|
| Date (published) | 2025-10-15T00:00:00.000Z |
| Date (last updated) | 2025-10-15T00:00:00.000Z |
| Severity | Critical |
Description
On Oct 14th, 2025, a vulnerability was published on ASP.NET Core that allows attacker to bypass security checks. This could allow unauthorized attacker to perform any LiveOps Dashboard operations or impersonate any dashboard user.
Affected Products/Services
Metaplay products are affected by these vulnerabilities:
All Metaplay
game-serverversions using the following .NET Runtime versions are affected by this vulnerability:- 9.x series: All versions before:
9.0.10 - 8.x series: All versions before:
8.0.21
- 9.x series: All versions before:
You may check if you are affected by navigating to Dashboard -> Server Messages -> Telemetry Messages. If you see the following message (or similar for version 8.0.21)
text
.NET v9.0.10 is available
You are running .NET v9.0.* when v9.0.10 is available. You can update to the latest .NET patch version by building and deploying your server!then the deployment is affected. If the message is not shown, you are not affected.
Impact
Attacker may perform any LiveOps Dashboard operations, assume any role, and impersonate any user.
Solution
Rebuild the game-server and deploy it.
Updated base-images for game-server have been published and rebuilding will update the dotnet runtime used by the game-server.
CVE and CVSS Information
Contact Information
Security-related questions or concerns can be sent to security@metaplay.io.
Revision History
| Date | Description |
|---|---|
| 2025-10-15 | Security Bulletin released |
| 2025-10-15 | Updated instructions how to detect if a deployment is affected |