CWE-444
AllowedInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Abstraction: Base · Status: Incomplete
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
551 vulnerabilities reference this CWE, most recent first.
GHSA-968F-66R5-5V74
Vulnerability from github – Published: 2020-01-06 18:44 – Updated: 2024-11-19 13:58Impact
The patches introduced to fix https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTTP request with invalid data.
This updates the existing CVE with ID: CVE-2019-16789
Patches
Waitress version 1.4.2 has been updated to now validate HTTP headers better to avoid the issue, completely fixing all known issues with whitespace.
Workarounds
There are no work-arounds, upgrading to Waitress 1.4.2 is highly recommended.
References
See https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 for more information on the security issue.
For more information
If you have any questions or comments about this advisory:
- open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)
- email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "waitress"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16789"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-06T18:43:11Z",
"nvd_published_at": "2019-12-26T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe patches introduced to fix https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTTP request with invalid data.\n\nThis updates the existing CVE with ID: CVE-2019-16789\n\n### Patches\n\nWaitress version 1.4.2 has been updated to now validate HTTP headers better to avoid the issue, completely fixing all known issues with whitespace.\n\n### Workarounds\n\nThere are no work-arounds, upgrading to Waitress 1.4.2 is highly recommended.\n\n### References\n\nSee https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 for more information on the security issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)\n* email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)",
"id": "GHSA-968f-66r5-5v74",
"modified": "2024-11-19T13:58:27Z",
"published": "2020-01-06T18:44:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Pylons/waitress/security/advisories/GHSA-968f-66r5-5v74"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16789"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-review/pull/14604"
},
{
"type": "WEB",
"url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"
},
{
"type": "WEB",
"url": "https://github.com/Pylons/waitress/commit/ddb65b489d01d696afa1695b75fdd5df3e4ffdf8"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0720"
},
{
"type": "WEB",
"url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"
},
{
"type": "PACKAGE",
"url": "https://github.com/Pylons/waitress"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-968f-66r5-5v74"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-138.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers (Follow-up)"
}
GHSA-974X-WV37-RCCW
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-11541"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T22:16:46Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.",
"id": "GHSA-974x-wv37-rccw",
"modified": "2026-07-01T00:34:00Z",
"published": "2026-07-01T00:34:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11541"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7277550"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9HF4-67FC-4VF4
Vulnerability from github – Published: 2024-09-20 14:40 – Updated: 2025-11-04 16:53Impact
Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.
Patches
v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.
Workarounds
Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level.
Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45614"
],
"database_specific": {
"cwe_ids": [
"CWE-444",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-20T14:40:16Z",
"nvd_published_at": "2024-09-19T23:15:11Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nClients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack. \n\n### Patches\nv6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.\n\n### Workarounds\nNginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers) configuration variable to discard these headers at the proxy level.\n\nAny users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.",
"id": "GHSA-9hf4-67fc-4vf4",
"modified": "2025-11-04T16:53:06Z",
"published": "2024-09-20T14:40:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45614"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e"
},
{
"type": "PACKAGE",
"url": "https://github.com/puma/puma"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"
},
{
"type": "WEB",
"url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Puma\u0027s header normalization allows for client to clobber proxy set headers"
}
GHSA-9JJC-H3C2-FW2V
Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-29 21:32Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
This issue was remediated server-side. No customer action is required.
{
"affected": [],
"aliases": [
"CVE-2026-13762"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T20:17:33Z",
"severity": "HIGH"
},
"details": "Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.\n\n\n\nThis issue was remediated server-side. No customer action is required.",
"id": "GHSA-9jjc-h3c2-fw2v",
"modified": "2026-06-29T21:32:12Z",
"published": "2026-06-29T21:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13762"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-048-aws"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9M3P-HGHR-5V6C
Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-29 21:32Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.
To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )
{
"affected": [],
"aliases": [
"CVE-2026-13763"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T20:17:33Z",
"severity": "HIGH"
},
"details": "Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.\n\n\n\nTo remediate this issue, customers should enable the \"Inspect after sufficient data\" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )",
"id": "GHSA-9m3p-hghr-5v6c",
"modified": "2026-06-29T21:32:12Z",
"published": "2026-06-29T21:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13763"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-048-aws"
},
{
"type": "WEB",
"url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C238-W6XV-CJ4M
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-03-21 03:33Citrix Gateway 11.1, 12.0, and 12.1 has an Inconsistent Interpretation of HTTP Requests.
{
"affected": [],
"aliases": [
"CVE-2020-10111"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-06T21:15:00Z",
"severity": "MODERATE"
},
"details": "Citrix Gateway 11.1, 12.0, and 12.1 has an Inconsistent Interpretation of HTTP Requests.",
"id": "GHSA-c238-w6xv-cj4m",
"modified": "2024-03-21T03:33:54Z",
"published": "2022-05-24T17:10:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10111"
},
{
"type": "WEB",
"url": "https://support.citrix.com/search"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156661/Citrix-Gateway-11.1-12.0-12.1-Cache-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Mar/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C269-4HPF-QFHC
Vulnerability from github – Published: 2026-07-14 09:31 – Updated: 2026-07-14 21:31Eclipse Grizzly in versions before 5.0.2, cannot properly parse the trailer section in malformed trailer header's line, which can be leveraged to perform HTTP request smuggling.
{
"affected": [],
"aliases": [
"CVE-2026-12606"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T09:16:39Z",
"severity": "MODERATE"
},
"details": "Eclipse Grizzly in versions before 5.0.2, cannot properly parse the trailer section in malformed trailer header\u0027s line, which can be leveraged to perform HTTP request smuggling.",
"id": "GHSA-c269-4hpf-qfhc",
"modified": "2026-07-14T21:31:35Z",
"published": "2026-07-14T09:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12606"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/work_items/129"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C2F4-CVQM-65W2
Vulnerability from github – Published: 2024-01-08 15:56 – Updated: 2025-11-04 16:49Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21647"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-08T15:56:48Z",
"nvd_published_at": "2024-01-08T14:15:47Z",
"severity": "MODERATE"
},
"details": "### Impact\nPrior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.\n\nFixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.\n\n### Patches\n\nThe vulnerability has been fixed in 6.4.2 and 5.6.8.\n\n### Workarounds\n\nNo known workarounds.\n\n### References\n\n* [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n* Open an issue in [Puma](https://github.com/puma/puma)\n* See our [security policy](https://github.com/puma/puma/security/policy)",
"id": "GHSA-c2f4-cvqm-65w2",
"modified": "2025-11-04T16:49:07Z",
"published": "2024-01-08T15:56:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21647"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d"
},
{
"type": "PACKAGE",
"url": "https://github.com/puma/puma"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Puma HTTP Request/Response Smuggling vulnerability"
}
GHSA-C2JG-HW38-JRQQ
Vulnerability from github – Published: 2022-04-04 21:29 – Updated: 2024-11-25 18:33The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230:
- The Content-Length header value could have a
+or-prefix. - Illegal characters were permitted in chunked extensions, such as the LF (
\n) character. - Chunk lengths, which are expressed in hexadecimal format, could have a prefix of
0x. - HTTP headers were stripped of all leading and trailing ASCII whitespace, rather than only space and HTAB (
\t).
This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
Impact
You may be affected if:
- You use Twisted Web's HTTP 1.1 server and/or proxy
- You also pass requests through a different HTTP server and/or proxy
The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.
The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected.
Patches
The issue has been addressed in Twisted 22.4.0rc1 and later.
Workarounds
Other than upgrading Twisted, you could:
- Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them
- Filter malformed requests by other means, such as configuration of an upstream proxy
Credits
This issue was initially reported by Zhang Zeyu.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Twisted"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24801"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-04T21:29:41Z",
"nvd_published_at": "2022-04-04T18:15:00Z",
"severity": "CRITICAL"
},
"details": "The Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230:\n\n1. The Content-Length header value could have a `+` or `-` prefix.\n2. Illegal characters were permitted in chunked extensions, such as the LF (`\\n`) character.\n3. Chunk lengths, which are expressed in hexadecimal format, could have a prefix of `0x`.\n4. HTTP headers were stripped of all leading and trailing ASCII whitespace, rather than only space and HTAB (`\\t`).\n\nThis non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.\n\n### Impact\n\nYou may be affected if:\n\n1. You use Twisted Web\u0027s HTTP 1.1 server and/or proxy\n2. You also pass requests through a different HTTP server and/or proxy\n\nThe specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.\n\nThe Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected.\n\n### Patches\n\nThe issue has been addressed in Twisted 22.4.0rc1 and later.\n\n### Workarounds\n\nOther than upgrading Twisted, you could:\n\n* Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them\n* Filter malformed requests by other means, such as configuration of an upstream proxy\n\n### Credits\n\nThis issue was initially reported by [Zhang Zeyu](https://github.com/zeyu2001).",
"id": "GHSA-c2jg-hw38-jrqq",
"modified": "2024-11-25T18:33:24Z",
"published": "2022-04-04T21:29:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24801"
},
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2022-195.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/twisted/twisted"
},
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Inconsistent Interpretation of HTTP Requests in twisted.web"
}
GHSA-C427-H43C-VF67
Vulnerability from github – Published: 2026-04-01 21:49 – Updated: 2026-04-01 21:49Summary
Multiple Host headers were allowed in aiohttp.
Impact
Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain().
Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.3"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34525"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:49:45Z",
"nvd_published_at": "2026-04-01T21:17:00Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nMultiple Host headers were allowed in aiohttp.\n\n### Impact\n\nMostly this doesn\u0027t affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using `Application.add_domain()`.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349\nPatch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000",
"id": "GHSA-c427-h43c-vf67",
"modified": "2026-04-01T21:49:45Z",
"published": "2026-04-01T21:49:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34525"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AIOHTTP accepts duplicate Host headers"
}
Mitigation
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Mitigation
Use only SSL communication.
Mitigation
Terminate the client session after each request.
Mitigation
Turn all pages to non-cacheable.
CAPEC-273: HTTP Response Smuggling
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).
See CanPrecede relationships for possible consequences.
CAPEC-33: HTTP Request Smuggling
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.