CWE-444
AllowedInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Abstraction: Base · Status: Incomplete
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
550 vulnerabilities reference this CWE, most recent first.
GHSA-GR7R-QQX6-V859
Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device.
This vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.
{
"affected": [],
"aliases": [
"CVE-2026-20069"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T18:16:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device.\n\nThis vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.",
"id": "GHSA-gr7r-qqx6-v859",
"modified": "2026-03-04T18:31:55Z",
"published": "2026-03-04T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20069"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-desync-n5AVzEQw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GV3V-92V6-M48J
Vulnerability from github – Published: 2020-04-03 15:23 – Updated: 2021-07-29 15:47Impact
- Cross Site Scripting
- Cache Poisoning
- Page Hijacking
Patches
This was fixed in version 2.2.1.
Workarounds
If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.
References
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.
Root Cause
This roots cause back to this line in the Jooby codebase:
https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102
The DefaultHttpHeaders takes a parameter validate which, when true (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting.
Reported By
This vulnerability was reported by @JLLeitschuh (Twitter)
For more information
If you have any questions or comments about this advisory: * Open an issue in jooby-project/jooby
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jooby:jooby-netty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7622"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2020-04-02T23:59:56Z",
"nvd_published_at": "2020-04-06T15:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\n - Cross Site Scripting\n - Cache Poisoning\n - Page Hijacking\n\n### Patches\n\nThis was fixed in version `2.2.1`.\n\n### Workarounds\n\nIf you are unable to update, ensure that user supplied data isn\u0027t able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.\n\n### References\n\n##### [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)](https://cwe.mitre.org/data/definitions/113.html)\n\nI\u0027ve been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.\n\n### Root Cause\n\nThis roots cause back to this line in the Jooby codebase:\n\nhttps://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102\n\nThe `DefaultHttpHeaders` takes a parameter `validate` which, when `true` (as it is for the no-arg constructor) validates that the header isn\u0027t being abused to do HTTP Response Splitting.\n\n### Reported By\n\nThis vulnerability was reported by @JLLeitschuh ([Twitter](https://twitter.com/JLLeitschuh))\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [jooby-project/jooby](https://github.com/jooby-project/jooby/issues)",
"id": "GHSA-gv3v-92v6-m48j",
"modified": "2021-07-29T15:47:43Z",
"published": "2020-04-03T15:23:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7622"
},
{
"type": "WEB",
"url": "https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby (\u0027HTTP Response Splitting)"
}
GHSA-GWFG-CQMG-CF8F
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2025-05-29 23:03An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "webrick"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6.0"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "webrick"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.0"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "webrick"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25613"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-08T19:59:16Z",
"nvd_published_at": "2020-10-06T13:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.",
"id": "GHSA-gwfg-cqmg-cf8f",
"modified": "2025-05-29T23:03:56Z",
"published": "2022-05-24T17:30:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25613"
},
{
"type": "WEB",
"url": "https://github.com/ruby/webrick/commit/076ac636bf48b7a492887ce4de7041de23e6c00d"
},
{
"type": "WEB",
"url": "https://github.com/ruby/webrick/commit/7618049fa57ddad2efff2a7bc7dad7d2d8a311b1"
},
{
"type": "WEB",
"url": "https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7"
},
{
"type": "WEB",
"url": "https://github.com/ruby/webrick/commit/af2efdcdf826f25592202d187c53963e7932e4b9"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/965267"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/webrick"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2020-25613.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-27"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210115-0008"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "WEBRick vulnerable to HTTP Request/Response Smuggling"
}
GHSA-GWJF-HG8J-JWVR
Vulnerability from github – Published: 2026-04-29 00:30 – Updated: 2026-04-29 15:30Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
{
"affected": [],
"aliases": [
"CVE-2026-40560"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-29T00:16:03Z",
"severity": "HIGH"
},
"details": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nStarman incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.",
"id": "GHSA-gwjf-hg8j-jwvr",
"modified": "2026-04-29T15:30:38Z",
"published": "2026-04-29T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40560"
},
{
"type": "WEB",
"url": "https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GX8R-XCQR-77HJ
Vulnerability from github – Published: 2022-05-17 02:35 – Updated: 2022-05-17 02:35AeroAdmin 4.1 uses an insecure protocol (HTTP) to perform software updates. An attacker can hijack an update via man-in-the-middle in order to execute code in the machine.
{
"affected": [],
"aliases": [
"CVE-2017-8894"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-02T17:29:00Z",
"severity": "HIGH"
},
"details": "AeroAdmin 4.1 uses an insecure protocol (HTTP) to perform software updates. An attacker can hijack an update via man-in-the-middle in order to execute code in the machine.",
"id": "GHSA-gx8r-xcqr-77hj",
"modified": "2022-05-17T02:35:49Z",
"published": "2022-05-17T02:35:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8894"
},
{
"type": "WEB",
"url": "https://www.tarlogic.com/advisories/Tarlogic-2017-001.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GX9Q-F765-XRGG
Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2025-05-01 18:31Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2022-26377"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-09T17:15:00Z",
"severity": "HIGH"
},
"details": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.",
"id": "GHSA-gx9q-f765-xrgg",
"modified": "2025-05-01T18:31:41Z",
"published": "2022-06-10T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26377"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220624-0005"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/06/08/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2P2-W857-329F
Vulnerability from github – Published: 2023-02-14 21:30 – Updated: 2025-03-20 21:31HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
{
"affected": [],
"aliases": [
"CVE-2023-25725"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-14T19:15:00Z",
"severity": "CRITICAL"
},
"details": "HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.",
"id": "GHSA-h2p2-w857-329f",
"modified": "2025-03-20T21:31:37Z",
"published": "2023-02-14T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725"
},
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy-2.7.git%3Ba=commit%3Bh=a0e561ad7f29ed50c473f5a9da664267b60d1112"
},
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy-2.7.git;a=commit;h=a0e561ad7f29ed50c473f5a9da664267b60d1112"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPTJQHKUEU2PQ7RWFUYAFLAD4STEIKHU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JM5NCIBTHYDTLPY2UNC4HO2VAHHE6CJG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPTJQHKUEU2PQ7RWFUYAFLAD4STEIKHU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JM5NCIBTHYDTLPY2UNC4HO2VAHHE6CJG"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5348"
},
{
"type": "WEB",
"url": "https://www.haproxy.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H385-52J6-9984
Vulnerability from github – Published: 2020-10-20 19:15 – Updated: 2021-01-13 19:25Withdrawn reason
Withdrawn on 1/13/2021 due to this comment from the maintainer. This is no longer considered a vulnerability.
Original description
agoo through 2.12.3 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "agoo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7670"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2020-10-20T19:04:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# Withdrawn reason\nWithdrawn on 1/13/2021 due to [this comment from the maintainer](https://github.com/ohler55/agoo/issues/88#issuecomment-723580783). This is no longer considered a vulnerability.\n\n# Original description\nagoo through 2.12.3 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.",
"id": "GHSA-h385-52j6-9984",
"modified": "2021-01-13T19:25:43Z",
"published": "2020-10-20T19:15:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7670"
},
{
"type": "WEB",
"url": "https://github.com/ohler55/agoo/issues/88"
},
{
"type": "WEB",
"url": "https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-RUBY-AGOO-569137"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Withdrawn: HTTP Request Smuggling in Agoo",
"withdrawn": "2021-01-13T19:25:43Z"
}
GHSA-H395-QCRW-5VMQ
Vulnerability from github – Published: 2021-06-23 17:53 – Updated: 2024-05-20 19:29When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. This affects all versions of package github.com/gin-gonic/gin under 1.7.7.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gin-gonic/gin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28483"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T21:46:50Z",
"nvd_published_at": "2021-01-20T18:15:00Z",
"severity": "HIGH"
},
"details": "When gin is exposed directly to the internet, a client\u0027s IP can be spoofed by setting the X-Forwarded-For header. This affects all versions of package github.com/gin-gonic/gin under 1.7.7. ",
"id": "GHSA-h395-qcrw-5vmq",
"modified": "2024-05-20T19:29:07Z",
"published": "2021-06-23T17:53:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28483"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/issues/2232"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/issues/2473"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/issues/2862"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2474"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2474#23issuecomment-729696437"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2632"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2675"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2844"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2844/files#diff-e6ce689a25eaef174c2dd51fe869fabbe04a6c6afbd416b23eda138c82e761baR1432"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0052"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/releases/tag/v1.7.7"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/releases/tag/v1.7.0"
},
{
"type": "PACKAGE",
"url": "https://github.com/gin-gonic/gin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin"
}
GHSA-H3QR-RQ2J-74W4
Vulnerability from github – Published: 2021-08-25 20:46 – Updated: 2023-06-13 17:40Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 specification, such requests do not have bodies, so the body will be interpreted as a separate HTTP request.
This allows an attacker who can control the body and method of an HTTP request made by hyper to inject a request with headers that would not otherwise be allowed, as demonstrated by sending a malformed HTTP request from a Substrate runtime. This allows bypassing CORS restrictions. In combination with other vulnerabilities, such as an exploitable web server listening on loopback, it may allow remote code execution.
The flaw was corrected in hyper version 0.12.34.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "hyper"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "0.12.34"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35863"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:20:11Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 specification, such requests do not have bodies, so the body will be interpreted as a separate HTTP request.\n\nThis allows an attacker who can control the body and method of an HTTP request made by hyper to inject a request with headers that would not otherwise be allowed, as demonstrated by sending a malformed HTTP request from a Substrate runtime. This allows bypassing CORS restrictions. In combination with other vulnerabilities, such as an exploitable web server listening on loopback, it may allow remote code execution.\n\nThe flaw was corrected in hyper version 0.12.34.",
"id": "GHSA-h3qr-rq2j-74w4",
"modified": "2023-06-13T17:40:10Z",
"published": "2021-08-25T20:46:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35863"
},
{
"type": "WEB",
"url": "https://github.com/hyperium/hyper/issues/1925"
},
{
"type": "PACKAGE",
"url": "https://github.com/hyperium/hyper"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "HTTP Request Smuggling in hyper"
}
Mitigation
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Mitigation
Use only SSL communication.
Mitigation
Terminate the client session after each request.
Mitigation
Turn all pages to non-cacheable.
CAPEC-273: HTTP Response Smuggling
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).
See CanPrecede relationships for possible consequences.
CAPEC-33: HTTP Request Smuggling
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.