Common Weakness Enumeration

CWE-444

Allowed

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Abstraction: Base · Status: Incomplete

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

551 vulnerabilities reference this CWE, most recent first.

GHSA-4F7P-27JC-3C36

Vulnerability from github – Published: 2022-03-18 19:00 – Updated: 2024-11-19 16:04
VLAI
Summary
HTTP Request Smuggling in waitress
Details

Impact

When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.

This would allow requests to be smuggled via the front-end proxy to waitress and later behavior.

There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory:

  • The use of Python's int() to parse strings into integers, leading to +10 to be parsed as 10, or 0x01 to be parsed as 1, where as the standard specifies that the string should contain only digits or hex digits.
  • Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters

Patches

This has been fixed in Waitress 2.1.1

Workarounds

When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.

References

  • https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

For more information

If you have any questions or comments about this advisory: * Open an issue in the Github issue tracker (if not security related/sensitive) * Email us at pylons-project-security@googlegroups.com (If security related or sensitive)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "waitress"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T19:00:59Z",
    "nvd_published_at": "2022-03-17T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWhen using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.\n\nThis would allow requests to be smuggled via the front-end proxy to waitress and later behavior.\n\nThere are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory:\n\n- The use of Python\u0027s `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits.\n- Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters\n\n### Patches\n\nThis has been fixed in Waitress 2.1.1\n\n### Workarounds\n\nWhen deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.\n\n### References\n\n- https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Github issue tracker](https://github.com/Pylons/waitress/issues) (if not security related/sensitive)\n* Email us at [pylons-project-security@googlegroups.com](mailto:pylons-project-security@googlegroups.com) (If security related or sensitive)\n",
  "id": "GHSA-4f7p-27jc-3c36",
  "modified": "2024-11-19T16:04:18Z",
  "published": "2022-03-18T19:00:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Pylons/waitress"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/waitress/releases/tag/v2.1.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2022-169.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HTTP Request Smuggling in waitress"
}

GHSA-4HRQ-XFJW-8G7P

Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2026-07-05 03:30
VLAI
Details

An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.",
  "id": "GHSA-4hrq-xfjw-8g7p",
  "modified": "2026-07-05T03:30:45Z",
  "published": "2022-02-10T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41442"
    },
    {
      "type": "WEB",
      "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10283"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    },
    {
      "type": "WEB",
      "url": "http://d-link.com"
    },
    {
      "type": "WEB",
      "url": "http://dir-x1860.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HV7-632M-J4JC

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

In JetBrains Ktor before 1.4.1, HTTP request smuggling was possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-16T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains Ktor before 1.4.1, HTTP request smuggling was possible.",
  "id": "GHSA-4hv7-632m-j4jc",
  "modified": "2022-05-24T17:34:16Z",
  "published": "2022-05-24T17:34:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26129"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/2020/11/16/jetbrains-security-bulletin-q3-2020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4PF4-JP4V-4G5C

Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35
VLAI
Details

Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T13:16:06Z",
    "severity": "CRITICAL"
  },
  "details": "Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox \u003c 149 and Firefox ESR \u003c 140.9.",
  "id": "GHSA-4pf4-jp4v-4g5c",
  "modified": "2026-06-30T03:35:59Z",
  "published": "2026-03-24T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4700"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8286"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8287"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8288"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8289"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8290"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8315"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8427"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8850"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4700"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2003766"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450752"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4700.json"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5930"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5931"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5932"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6342"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6917"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7837"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7838"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7839"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7840"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7841"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7842"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7843"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7845"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7858"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8284"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8285"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PPP-GPCR-7QF6

Vulnerability from github – Published: 2019-12-20 23:04 – Updated: 2026-01-22 22:34
VLAI
Summary
HTTP Request Smuggling: Content-Length Sent Twice in Waitress
Details

Impact

Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.

So a request with:

Content-Length: 10
Content-Length: 10

would get transformed to:

Content-Length: 10, 10

Which would Waitress would then internally set to Content-Lenght: 0.

Waitress would then treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining.

Patches

This issue is fixed in Waitress 1.4.0. This brings a range of changes to harden Waitress against potential HTTP request confusions, and may change the behaviour of Waitress behind non-conformist proxies.

The Pylons Project recommends upgrading as soon as possible, while validating that the changes in Waitress don't cause any changes in behavior.

Workarounds

Various reverse proxies may have protections against sending potentially bad HTTP requests to the backend, and or hardening against potential issues like this. If the reverse proxy doesn't use HTTP/1.1 for connecting to the backend issues are also somewhat mitigated, as HTTP pipelining does not exist in HTTP/1.0 and Waitress will close the connection after every single request (unless the Keep Alive header is explicitly sent... so this is not a fool proof security method).

Issues/more security issues:

  • open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)
  • email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "waitress"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-12-20T23:02:03Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nWaitress would header fold a double `Content-Length` header and due to being unable to cast the now comma separated value to an integer would set the `Content-Length` to 0 internally.\n\nSo a request with:\n\n```\nContent-Length: 10\nContent-Length: 10\n```\n\nwould get transformed to:\n\n```\nContent-Length: 10, 10\n```\n\nWhich would Waitress would then internally set to `Content-Lenght: 0`.\n\nWaitress would then treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining.\n\n### Patches\n\nThis issue is fixed in Waitress 1.4.0. This brings a range of changes to harden Waitress against potential HTTP request confusions, and may change the behaviour of Waitress behind non-conformist proxies. \n\nThe Pylons Project recommends upgrading as soon as possible, while validating that the changes in Waitress don\u0027t cause any changes in behavior.\n\n### Workarounds\n\nVarious reverse proxies may have protections against sending potentially bad HTTP requests to the backend, and or hardening against potential issues like this. If the reverse proxy doesn\u0027t use HTTP/1.1 for connecting to the backend issues are also somewhat mitigated, as HTTP pipelining does not exist in HTTP/1.0 and Waitress will close the connection after every single request (unless the Keep Alive header is explicitly sent... so this is not a fool proof security method).\n\n### Issues/more security issues:\n\n* open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)\n* email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)",
  "id": "GHSA-4ppp-gpcr-7qf6",
  "modified": "2026-01-22T22:34:11Z",
  "published": "2019-12-20T23:04:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16792"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65"
    },
    {
      "type": "WEB",
      "url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Pylons/waitress"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2020-178.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "HTTP Request Smuggling: Content-Length Sent Twice in Waitress"
}

GHSA-4PX2-PW77-VC85

Vulnerability from github – Published: 2026-06-12 15:08 – Updated: 2026-07-15 21:23
VLAI
Summary
SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec
Details

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec (HTTP2FramePayloadToHTTP1ServerCodec / HTTP2ToHTTP1ServerCodec) did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR (\r), LF (\n), or NUL (\0) bytes in pseudo-header values such as :path, and when the server translated this to HTTP/1.1 — for example in a reverse-proxy configuration — the resulting output could contain injected headers or entirely smuggled requests.

This is an HTTP/2-to-HTTP/1.1 request smuggling vulnerability. HTTP/2's binary framing means that CRLF bytes are never parsed as line terminators at the HTTP/2 layer, so they pass through transparently to the HTTP/1.1 output. Any swift-nio-http2 server that translates HTTP/2 requests to HTTP/1.1 and forwards them to a backend is affected. Server-side Swift frameworks such as Vapor that use this codec in a reverse-proxy pattern are directly affected.

This vulnerability is related to https://github.com/advisories/GHSA-7fj7-39wj-c64f in swift-nio, which addressed CRLF injection in HTTP/1.1 header values but did not cover pseudo-header values in the HTTP/2 layer.

This vulnerability is also related to https://github.com/advisories/GHSA-cq87-8r7h-962v in swift-nio, which addressed CRLF injection in HTTP/1.1 version, method and path.

swift-nio-http2 1.44.0 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error.

SwiftNIO recommends all adopters upgrade to 1.44.0 as soon as possible.

SwiftNIO thanks @kuranikaran for filing this issue and the support in fixing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/apple/swift-nio-http2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444",
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T15:08:16Z",
    "nvd_published_at": "2026-06-25T19:16:36Z",
    "severity": "MODERATE"
  },
  "details": "swift-nio-http2\u0027s HTTP/2-to-HTTP/1.1 codec (`HTTP2FramePayloadToHTTP1ServerCodec` / `HTTP2ToHTTP1ServerCodec`) did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR (\\r), LF (\\n), or NUL (\\0) bytes in pseudo-header values such as `:path`, and when the server translated this to HTTP/1.1 \u2014 for example in a reverse-proxy configuration \u2014 the resulting output could contain injected headers or entirely smuggled requests.\n\nThis is an HTTP/2-to-HTTP/1.1 request smuggling vulnerability. HTTP/2\u0027s binary framing means that CRLF bytes are never parsed as line terminators at the HTTP/2 layer, so they pass through transparently to the HTTP/1.1 output. Any swift-nio-http2 server that translates HTTP/2 requests to HTTP/1.1 and forwards them to a backend is affected. Server-side Swift frameworks such as Vapor that use this codec in a reverse-proxy pattern are directly affected.\n\nThis vulnerability is related to https://github.com/advisories/GHSA-7fj7-39wj-c64f in swift-nio, which addressed CRLF injection in HTTP/1.1 header values but did not cover pseudo-header values in the HTTP/2 layer.\n\nThis vulnerability is also related to https://github.com/advisories/GHSA-cq87-8r7h-962v in swift-nio, which addressed CRLF injection in HTTP/1.1 version, method and path.\n\nswift-nio-http2 1.44.0 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error.\n\nSwiftNIO recommends all adopters upgrade to 1.44.0 as soon as possible.\n\nSwiftNIO thanks @kuranikaran for filing this issue and the support in fixing it.",
  "id": "GHSA-4px2-pw77-vc85",
  "modified": "2026-07-15T21:23:10Z",
  "published": "2026-06-12T15:08:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-4px2-pw77-vc85"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28898"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio-http2/commit/61d1b44f6e4e118792be1cff88ee2bc0267c6f9a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apple/swift-nio-http2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec"
}

GHSA-4Q56-CRQP-V477

Vulnerability from github – Published: 2025-04-01 22:23 – Updated: 2025-04-01 22:23
VLAI
Summary
Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
Details

Impact

We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler.

Patches

This issue has been patched and released in Remix 2.16.3 React Router 7.4.1.

Credits

  • Rachid Allam (zhero;)
  • Yasser Allam (inzo_)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@react-router/express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@remix-run/express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.1"
            },
            {
              "fixed": "2.16.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-01T22:23:33Z",
    "nvd_published_at": "2025-04-01T19:15:45Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWe received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming `Request` by putting a URL pathname in the port section of a URL that is part of a `Host` or `X-Forwarded-Host` header sent to a Remix/React Router request handler.\n\n### Patches\n\nThis issue has been patched and released in Remix 2.16.3 React Router 7.4.1.\n\n### Credits\n\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)",
  "id": "GHSA-4q56-crqp-v477",
  "modified": "2025-04-01T22:23:33Z",
  "published": "2025-04-01T22:23:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31137"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/remix-run/react-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers"
}

GHSA-4QJW-VX62-3VQX

Vulnerability from github – Published: 2022-02-08 00:01 – Updated: 2022-02-08 00:01
VLAI
Summary
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Details

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-15T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.",
  "id": "GHSA-4qjw-vx62-3vqx",
  "modified": "2022-02-08T00:01:28Z",
  "published": "2022-02-08T00:01:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23336"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/24297"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202104-04"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210326-0004"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python/cpython"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
}

GHSA-4QPP-GXM3-H9VW

Vulnerability from github – Published: 2025-12-11 15:30 – Updated: 2026-03-19 15:31
VLAI
Details

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T13:15:58Z",
    "severity": "HIGH"
  },
  "details": "A flaw in libsoup\u2019s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.",
  "id": "GHSA-4qpp-gxm3-h9vw",
  "modified": "2026-03-19T15:31:10Z",
  "published": "2025-12-11T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14523"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421349"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-14523"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:1572"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:1571"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:1570"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:1569"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:1509"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0925"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0911"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0909"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0908"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0907"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0906"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0905"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0868"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0867"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0836"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0423"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0422"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QQR-WVPJ-RJF9

Vulnerability from github – Published: 2025-03-03 09:30 – Updated: 2025-03-03 09:30
VLAI
Details

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in ithewei libhv allows HTTP Response Smuggling.This issue affects libhv: through 1.3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T09:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in ithewei libhv allows HTTP Response Smuggling.This issue affects libhv: through 1.3.3.",
  "id": "GHSA-4qqr-wvpj-rjf9",
  "modified": "2025-03-03T09:30:35Z",
  "published": "2025-03-03T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ithewei/libhv/pull/689"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].

Mitigation
Implementation

Use only SSL communication.

Mitigation
Implementation

Terminate the client session after each request.

Mitigation
System Configuration

Turn all pages to non-cacheable.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-33: HTTP Request Smuggling

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.