CWE-444
AllowedInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Abstraction: Base · Status: Incomplete
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
551 vulnerabilities reference this CWE, most recent first.
GHSA-4R7G-FJ95-JWPC
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01A flaw was found in the original fix for the netty-codec-http CVE-2021-21409, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete. The vulnerable netty-codec-http maven package was not removed from the image content. This flaw affects origin-aggregated-logging versions 3.11.
{
"affected": [],
"aliases": [
"CVE-2022-0552"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the original fix for the netty-codec-http CVE-2021-21409, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete. The vulnerable netty-codec-http maven package was not removed from the image content. This flaw affects origin-aggregated-logging versions 3.11.",
"id": "GHSA-4r7g-fj95-jwpc",
"modified": "2022-04-19T00:01:27Z",
"published": "2022-04-12T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0552"
},
{
"type": "WEB",
"url": "https://github.com/openshift/origin-aggregated-logging/commit/d6b72d6c32e7c06b65324294d10406546734004d"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:0721"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:0727"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:0728"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0552"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2052539"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4VR9-8CJF-VF9C
Vulnerability from github – Published: 2021-10-12 16:00 – Updated: 2021-10-08 22:14Impact
This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications.
If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body.
One way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request.
Another potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients' requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user's request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adversary.
Patches
This has been addressed in async-h1 2.3.0 and previous versions have been yanked.
Workarounds
none
References
https://github.com/http-rs/async-h1/releases/tag/v2.3.0
For more information
If you have any questions or comments about this advisory: * Open an issue in async-h1 * Contact a core team member on zulip or discord
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "async-h1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26281"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-08T22:14:28Z",
"nvd_published_at": "2020-12-21T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThis vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications.\n\nIf the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body.\n\nOne way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request.\n\nAnother potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients\u0027 requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user\u0027s request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adversary.\n\n\n### Patches\nThis has been addressed in async-h1 2.3.0 and previous versions have been yanked.\n\n### Workarounds\nnone\n\n### References\nhttps://github.com/http-rs/async-h1/releases/tag/v2.3.0\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [async-h1](https://github.com/http-rs/async-h1)\n* Contact a core team member on [zulip](https://http-rs.zulip-chat.com) or [discord](https://discord.gg/x2gKzst)",
"id": "GHSA-4vr9-8cjf-vf9c",
"modified": "2021-10-08T22:14:28Z",
"published": "2021-10-12T16:00:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/http-rs/async-h1/security/advisories/GHSA-4vr9-8cjf-vf9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26281"
},
{
"type": "PACKAGE",
"url": "https://github.com/http-rs/async-h1"
},
{
"type": "WEB",
"url": "https://github.com/http-rs/async-h1/releases/tag/v2.3.0"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0093.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Async-h1 request smuggling possible with long unread bodies"
}
GHSA-4VWW-MC66-62M6
Vulnerability from github – Published: 2021-08-13 15:21 – Updated: 2024-03-11 18:00Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0-M1"
},
{
"fixed": "10.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-M1"
},
{
"fixed": "9.0.48"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.68"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-33037"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-13T19:38:16Z",
"nvd_published_at": "2021-07-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.",
"id": "GHSA-4vww-mc66-62m6",
"modified": "2024-03-11T18:00:29Z",
"published": "2021-08-13T15:21:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33037"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/19d11556d0db99df291df33605f137976d152475"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/506134f957a4be2c5b4a9334f7b3435fc954dbc1"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/eee0d024c1b3171560c92eaba79dd6eb8eb11bcd"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-34"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210827-0007"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-10.html"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-8.html"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-9.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4952"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/kovg1bft77xo34ksrcskh5nl50p69962"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "HTTP Request Smuggling in Apache Tomcat"
}
GHSA-4X8V-5Q76-PPWC
Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-02-03 00:00An issue was discovered in VeridiumID VeridiumAD 2.5.3.0. The HTTP request to trigger push notifications for VeridiumAD enrolled users does not enforce proper access control. A user can trigger push notifications for any other user. The text contained in the push notification can also be modified. If a user who receives the notification accepts it, then the user who triggered the notification can obtain the accepting user's login certificate.
{
"affected": [],
"aliases": [
"CVE-2021-42791"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-28T13:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in VeridiumID VeridiumAD 2.5.3.0. The HTTP request to trigger push notifications for VeridiumAD enrolled users does not enforce proper access control. A user can trigger push notifications for any other user. The text contained in the push notification can also be modified. If a user who receives the notification accepts it, then the user who triggered the notification can obtain the accepting user\u0027s login certificate.",
"id": "GHSA-4x8v-5q76-ppwc",
"modified": "2022-02-03T00:00:29Z",
"published": "2022-01-29T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42791"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/en/research/advisories"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/fileadmin/Research/Advisories/2022_03_CSNC-2021-017_VeridiumId_Broken_Access_Control.txt"
},
{
"type": "WEB",
"url": "https://www.veridiumid.com/press/veridium-eliminates-passwords-with-veridiumad-for-enterprises-using-microsoft-active-directory"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-547R-PC3F-H39W
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable vulnerability exists the safe browsing function of the CUJO Smart Firewall, version 7003. The bug lies in the way the safe browsing function parses HTTP requests. The "Host" header is incorrectly extracted from captured HTTP requests, which would allow an attacker to visit any malicious websites and bypass the firewall. An attacker could send an HTTP request to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-4030"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T16:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable vulnerability exists the safe browsing function of the CUJO Smart Firewall, version 7003. The bug lies in the way the safe browsing function parses HTTP requests. The \"Host\" header is incorrectly extracted from captured HTTP requests, which would allow an attacker to visit any malicious websites and bypass the firewall. An attacker could send an HTTP request to exploit this vulnerability.",
"id": "GHSA-547r-pc3f-h39w",
"modified": "2022-05-13T01:01:44Z",
"published": "2022-05-13T01:01:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4030"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0702"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5492-MR68-4M2H
Vulnerability from github – Published: 2022-07-15 00:00 – Updated: 2023-01-26 21:30The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
{
"affected": [],
"aliases": [
"CVE-2022-32215"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-14T15:15:00Z",
"severity": "CRITICAL"
},
"details": "The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).",
"id": "GHSA-5492-mr68-4m2h",
"modified": "2023-01-26T21:30:24Z",
"published": "2022-07-15T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32215"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1501679"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220915-0001"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5326"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-563X-Q5RQ-57QP
Vulnerability from github – Published: 2026-04-09 21:31 – Updated: 2026-05-20 21:54Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "9.0.116"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.18"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "9.0.116"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.18"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24880"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T22:07:01Z",
"nvd_published_at": "2026-04-09T20:16:24Z",
"severity": "HIGH"
},
"details": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.",
"id": "GHSA-563x-q5rq-57qp",
"modified": "2026-05-20T21:54:29Z",
"published": "2026-04-09T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24880"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/1b586d6aa8ae65726da5fa8799427b5d4718478a"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/1e71441a15972f56e661b0b549fb9e5d838b83bb"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/2cb06c34f661ca42f7570bbcc21e99806184bcc5"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/6d478dbe18b7c4bb671c30fedf130309b0dab77c"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/f07df938d00f7419b40fa65aa912966d0efac522"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/fde1a8235fb73125217bd41e162aa0a113f33552"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116"
},
{
"type": "WEB",
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-24880"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Tomcat has an HTTP Request/Response Smuggling vulnerability"
}
GHSA-5689-V88G-G6RV
Vulnerability from github – Published: 2022-07-15 00:00 – Updated: 2023-07-10 21:31The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
Impacts:
- All versions of the nodejs 18.x, 16.x, and 14.x releases lines.
- llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "llhttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-32213"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-10T21:31:51Z",
"nvd_published_at": "2022-07-14T15:15:00Z",
"severity": "CRITICAL"
},
"details": "The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).\n\nImpacts:\n\n- All versions of the nodejs 18.x, 16.x, and 14.x releases lines.\n- llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js",
"id": "GHSA-5689-v88g-g6rv",
"modified": "2023-07-10T21:31:51Z",
"published": "2022-07-15T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32213"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1524555"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220915-0001"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5326"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding"
}
GHSA-57Q5-X8JF-G7H8
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-01-15 15:05Red Hat JBoss EAP version 3.0.7.Final until 3.0.25.Final, 3.5.0.CR1, and 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.24.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-jaxrs"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.7.Final"
},
{
"fixed": "3.0.25.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-jaxrs"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.4.Final"
},
{
"fixed": "3.5.0.CR1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.1.4.Final"
]
}
],
"aliases": [
"CVE-2017-7561"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T11:43:57Z",
"nvd_published_at": "2017-09-13T17:29:00Z",
"severity": "HIGH"
},
"details": "Red Hat JBoss EAP version 3.0.7.Final until 3.0.25.Final, 3.5.0.CR1, and 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.",
"id": "GHSA-57q5-x8jf-g7h8",
"modified": "2025-01-15T15:05:52Z",
"published": "2022-05-13T01:47:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7561"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0002"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0003"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0004"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0005"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0478"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0479"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0480"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0481"
},
{
"type": "PACKAGE",
"url": "https://github.com/resteasy/Resteasy"
},
{
"type": "WEB",
"url": "https://issues.jboss.org/browse/RESTEASY-1704"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inconsistent Interpretation of HTTP Requests in Red Hat JBoss EAP"
}
GHSA-57RV-R2G8-2CJ3
Vulnerability from github – Published: 2026-05-07 00:21 – Updated: 2026-05-14 20:41Summary
If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's.
Details
HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset.
Prerequisites - HTTP/1.1 pipelining - HEAD in the pipeline - The server sends 1xx
PoC
@Test
public void test() {
EmbeddedChannel channel = new EmbeddedChannel(new HttpClientCodec());
assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.GET, "/1")));
ByteBuf request = channel.readOutbound();
request.release();
assertNull(channel.readOutbound());
assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.HEAD, "/2")));
request = channel.readOutbound();
request.release();
assertNull(channel.readOutbound());
String responseStr = "HTTP/1.1 103 Early Hints\r\n\r\n" +
"HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\nhello" +
"HTTP/1.1 200 OK\r\n\r\n";
assertTrue(channel.writeInbound(Unpooled.copiedBuffer(responseStr, CharsetUtil.US_ASCII)));
// Response 1
HttpResponse response = channel.readInbound();
assertEquals(HttpResponseStatus.EARLY_HINTS, response.status());
LastHttpContent last = channel.readInbound();
assertEquals(0, last.content().readableBytes());
last.release();
// Response 2
response = channel.readInbound();
assertEquals(HttpResponseStatus.OK, response.status());
last = channel.readInbound();
assertEquals(0, last.content().readableBytes());
last.release();
// Response 3
FullHttpResponse response1 = channel.readInbound();
assertTrue(response1.decoderResult().isFailure());
assertEquals(0, response1.content().readableBytes());
response1.release();
assertFalse(channel.finish());
}
Impact
Integrity/availability of HTTP parsing on that connection, unsafe reuse of the socket.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.12.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.13.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.132.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.133.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42584"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:21:48Z",
"nvd_published_at": "2026-05-13T19:17:24Z",
"severity": "HIGH"
},
"details": "### Summary\n If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another\u0027s.\n\n### Details\nHttpClientCodec pairs each inbound response with an outbound request by `queue.poll()` once per response, including for `1xx`. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset.\n\nPrerequisites \n- HTTP/1.1 pipelining\n- HEAD in the pipeline\n- The server sends 1xx\n\n### PoC\n\n```java\n @Test\n public void test() {\n EmbeddedChannel channel = new EmbeddedChannel(new HttpClientCodec());\n\n assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.GET, \"/1\")));\n ByteBuf request = channel.readOutbound();\n request.release();\n assertNull(channel.readOutbound());\n\n assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.HEAD, \"/2\")));\n request = channel.readOutbound();\n request.release();\n assertNull(channel.readOutbound());\n\n String responseStr = \"HTTP/1.1 103 Early Hints\\r\\n\\r\\n\" +\n \"HTTP/1.1 200 OK\\r\\nContent-Length: 5\\r\\n\\r\\nhello\" +\n \"HTTP/1.1 200 OK\\r\\n\\r\\n\";\n assertTrue(channel.writeInbound(Unpooled.copiedBuffer(responseStr, CharsetUtil.US_ASCII)));\n\n // Response 1\n HttpResponse response = channel.readInbound();\n assertEquals(HttpResponseStatus.EARLY_HINTS, response.status());\n LastHttpContent last = channel.readInbound();\n assertEquals(0, last.content().readableBytes());\n last.release();\n\n // Response 2\n response = channel.readInbound();\n assertEquals(HttpResponseStatus.OK, response.status());\n last = channel.readInbound();\n assertEquals(0, last.content().readableBytes());\n last.release();\n\n // Response 3\n FullHttpResponse response1 = channel.readInbound();\n assertTrue(response1.decoderResult().isFailure());\n assertEquals(0, response1.content().readableBytes());\n response1.release();\n\n assertFalse(channel.finish());\n }\n```\n\n### Impact\nIntegrity/availability of HTTP parsing on that connection, unsafe reuse of the socket.",
"id": "GHSA-57rv-r2g8-2cj3",
"modified": "2026-05-14T20:41:17Z",
"published": "2026-05-07T00:21:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Netty has HttpClientCodec response desynchronization"
}
Mitigation
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Mitigation
Use only SSL communication.
Mitigation
Terminate the client session after each request.
Mitigation
Turn all pages to non-cacheable.
CAPEC-273: HTTP Response Smuggling
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).
See CanPrecede relationships for possible consequences.
CAPEC-33: HTTP Request Smuggling
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.