Common Weakness Enumeration

CWE-444

Allowed

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Abstraction: Base · Status: Incomplete

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

550 vulnerabilities reference this CWE, most recent first.

GHSA-M5FF-3WJ3-8PH4

Vulnerability from github – Published: 2019-12-26 16:34 – Updated: 2019-12-26 16:34
VLAI
Summary
HTTP Request Smuggling: Invalid whitespace characters in headers in Waitress
Details

Impact

If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling.

Content-Length: 10
Transfer-Encoding: [\x0b]chunked

For clarity:

0x0b == vertical tab

Would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters.

If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure.

Patches

Please upgrade to Waitress 1.4.1 which fixes this issue with stricter HTTP field validation.

Waitress 1.4.1 due to this change has become much more strict in what is allowed in header values, while the maintainers don't believe that these changes will cause any issues, it may cause failures with non-conformist reverse proxies or clients, and it is highly recommend that users validate the changes in their environment and make sure it won't cause any unacceptable failures.

Workarounds

You may enable additional protections on front-end servers, those that follow RFC7230 correctly would drop the request with a 400 Bad Request.

Waitress will now correctly responds to the request with a 400 Bad Request, and will drop the connection to avoid any potential HTTP pipelining issues.

References

This was mentioned in https://portswigger.net/research/http-desync-attacks-what-happened-next and was specifically mentioned as being an issue in HAProxy which did not properly filter it in this article: https://nathandavison.com/blog/haproxy-http-request-smuggling

Thanks

The Pylons Project would like to thank ZeddYu Lu for doing extended testing against Waitress 1.4.0 and bringing this to our attention!

For more information

If you have any questions or comments about this advisory:

  • open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)
  • email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "waitress"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-12-26T16:34:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIf a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling.\n\n```\nContent-Length: 10\nTransfer-Encoding: [\\x0b]chunked\n```\n\nFor clarity:\n\n```\n0x0b == vertical tab\n```\n\nWould get parsed by Waitress as being a `chunked` request, but a front-end server would use the `Content-Length` instead as the `Transfer-Encoding` header is considered invalid due to containing invalid characters.\n\nIf a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure.\n\n### Patches\n\nPlease upgrade to Waitress 1.4.1 which fixes this issue with stricter HTTP field validation.\n\nWaitress 1.4.1 due to this change has become much more strict in what is allowed in header values, while the maintainers don\u0027t believe that these changes will cause any issues, it may cause failures with non-conformist reverse proxies or clients, and it is highly recommend that users validate the changes in their environment and make sure it won\u0027t cause any unacceptable failures.\n\n### Workarounds\n\nYou may enable additional protections on front-end servers, those that follow RFC7230 correctly would drop the request with a 400 Bad Request.\n\nWaitress will now correctly responds to the request with a 400 Bad Request, and will drop the connection to avoid any potential HTTP pipelining issues.\n\n### References\n\nThis was mentioned in https://portswigger.net/research/http-desync-attacks-what-happened-next and was specifically mentioned as being an issue in HAProxy which did not properly filter it in this article: https://nathandavison.com/blog/haproxy-http-request-smuggling\n\n### Thanks\n\nThe Pylons Project would like to thank ZeddYu Lu for doing extended testing against Waitress 1.4.0 and bringing this to our attention!\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)\n* email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)",
  "id": "GHSA-m5ff-3wj3-8ph4",
  "modified": "2019-12-26T16:34:06Z",
  "published": "2019-12-26T16:34:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "HTTP Request Smuggling: Invalid whitespace characters in headers in Waitress"
}

GHSA-M6M2-J477-JFG8

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-29T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.",
  "id": "GHSA-m6m2-j477-jfg8",
  "modified": "2022-05-24T19:06:34Z",
  "published": "2022-05-24T19:06:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27577"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M9F2-W9FV-J46G

Vulnerability from github – Published: 2024-07-15 15:31 – Updated: 2024-07-15 15:31
VLAI
Details

This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-15T14:15:03Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request.",
  "id": "GHSA-m9f2-w9fv-j46g",
  "modified": "2024-07-15T15:31:00Z",
  "published": "2024-07-15T15:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38494"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MCFM-H73V-635M

Vulnerability from github – Published: 2018-10-19 16:55 – Updated: 2022-09-14 19:18
VLAI
Summary
Undertow-core vulnerable to HTTP Request Smuggling
Details

It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-2666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:45:55Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.",
  "id": "GHSA-mcfm-h73v-635m",
  "modified": "2022-09-14T19:18:03Z",
  "published": "2018-10-19T16:55:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2666"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mcfm-h73v-635m"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Undertow-core vulnerable to HTTP Request Smuggling"
}

GHSA-MFJX-W835-F3W2

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-28T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.",
  "id": "GHSA-mfjx-w835-f3w2",
  "modified": "2022-05-13T01:27:48Z",
  "published": "2022-05-13T01:27:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12116"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1821"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MGC4-WQV7-4PXM

Vulnerability from github – Published: 2023-05-18 17:29 – Updated: 2023-05-18 17:29
VLAI
Summary
SwiftNIO vulnerable to HTTP request smuggling using malformed Transfer-Encoding header
Details

Impact

Affected SwiftNIO systems are vulnerable to request smuggling attacks, in which they parse a given HTTP message differently from other network parties, potentially seeing a different number of requests than other servers. This can lead to failures of authentication, routing, and other issues.

This vulnerability can be found in the bundled copy of the Node.JS HTTP parser used in the NIOHTTP1 module.

Workarounds

No workaround is available, users must upgrade.

References

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#http-request-smuggling-using-malformed-transfer-encoding-header-critical-cve-2019-15605

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/apple/swift-nio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/apple/swift-nio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-18T17:29:43Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nAffected SwiftNIO systems are vulnerable to request smuggling attacks, in which they parse a given HTTP message differently from other network parties, potentially seeing a different number of requests than other servers. This can lead to failures of authentication, routing, and other issues.\n\nThis vulnerability can be found in the bundled copy of the Node.JS HTTP parser used in the `NIOHTTP1` module.\n\n### Workarounds\n\nNo workaround is available, users must upgrade.\n\n### References\n\nhttps://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#http-request-smuggling-using-malformed-transfer-encoding-header-critical-cve-2019-15605",
  "id": "GHSA-mgc4-wqv7-4pxm",
  "modified": "2023-05-18T17:29:43Z",
  "published": "2023-05-18T17:29:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/security/advisories/GHSA-mgc4-wqv7-4pxm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/pull/1387"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/pull/1388"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/commit/8da5c5a4e6c5084c296b9f39dc54f00be146e0fa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/commit/bfde40cac8eca25ce021552513b20ee23fc6e306"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/commit/df9390006bce7da1b6273f804d3acbbfdfcc6154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/commit/f94b22b506e3557cb1b325534fa9bbcd39c90246"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apple/swift-nio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SwiftNIO vulnerable to HTTP request smuggling using malformed Transfer-Encoding header"
}

GHSA-MH87-C4C3-CGWF

Vulnerability from github – Published: 2026-04-07 12:31 – Updated: 2026-04-07 12:31
VLAI
Details

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-07T12:16:21Z",
    "severity": "HIGH"
  },
  "details": "Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against \"chunked\", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.",
  "id": "GHSA-mh87-c4c3-cgwf",
  "modified": "2026-04-07T12:31:15Z",
  "published": "2026-04-07T12:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31842"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinyproxy/tinyproxy/issues/604"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc7230"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinyproxy/tinyproxy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MHW9-V228-5C8F

Vulnerability from github – Published: 2025-08-07 06:30 – Updated: 2025-08-07 06:30
VLAI
Details

An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue" header, and using obsolete line folding, can lead to a discrepancy in how two in-path Akamai servers interpret the request, allowing an attacker to smuggle a second request in the original request body.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-07T05:15:45Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an \"Expect: 100-continue\" header, and using obsolete line folding, can lead to a discrepancy in how two in-path Akamai servers interpret the request, allowing an attacker to smuggle a second request in the original request body.",
  "id": "GHSA-mhw9-v228-5c8f",
  "modified": "2025-08-07T06:30:30Z",
  "published": "2025-08-07T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32094"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/100"
    },
    {
      "type": "WEB",
      "url": "https://www.akamai.com/blog/security/cve-2025-32094-http-request-smuggling"
    },
    {
      "type": "WEB",
      "url": "https://www.blackhat.com/us-25/briefings/schedule/#http1-must-die-the-desync-endgame-45103"
    },
    {
      "type": "WEB",
      "url": "https://www.rfc-editor.org/rfc/rfc9112.html#name-obsolete-line-folding"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHXQ-VJJQ-PCVF

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22959"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-15T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp \u003c v2.1.4 and \u003c v6.0.6.",
  "id": "GHSA-mhxq-vjjq-pcvf",
  "modified": "2022-05-24T19:20:57Z",
  "published": "2022-05-24T19:20:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1238709"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5170"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ44-8QQ5-6386

Vulnerability from github – Published: 2026-06-11 15:31 – Updated: 2026-06-11 15:31
VLAI
Details

A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T14:16:32Z",
    "severity": "MODERATE"
  },
  "details": "A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong\u2019s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.",
  "id": "GHSA-mj44-8qq5-6386",
  "modified": "2026-06-11T15:31:34Z",
  "published": "2026-06-11T15:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6338"
    },
    {
      "type": "WEB",
      "url": "https://support.konghq.com/support/s/article/CVE-2026-6338"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].

Mitigation
Implementation

Use only SSL communication.

Mitigation
Implementation

Terminate the client session after each request.

Mitigation
System Configuration

Turn all pages to non-cacheable.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-33: HTTP Request Smuggling

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.