Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green
Lifecycle Timeline
4DescriptionCVE.org
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is associated with program files http_parser.C.
This issue affects liteide: before x38.4.
AnalysisAI
An HTTP Request/Response Smuggling vulnerability exists in visualfc liteide due to inconsistent interpretation of HTTP requests in the HTTP parser component (http_parser.C), classified under CWE-444. This affects liteide versions before x38.4, allowing attackers to exploit the qjsonrpc HTTP parser module to smuggle malicious requests. An attacker could leverage this vulnerability to perform request smuggling attacks, potentially leading to cache poisoning, session hijacking, or information disclosure depending on the deployment context and HTTP intermediaries involved.
Technical ContextAI
The vulnerability resides in the liteide HTTP parser implementation (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules, specifically http_parser.C), which is responsible for parsing HTTP requests in the qjsonrpc library integrated into liteide. CWE-444 (Inconsistent Interpretation of HTTP Requests, also known as HTTP Request Smuggling) occurs when an HTTP parser fails to consistently interpret ambiguous or malformed HTTP request boundaries, particularly around Content-Length and Transfer-Encoding headers. The affected product is visualfc liteide as identified by CPE cpe:2.3:a:visualfc:liteide:*:*:*:*:*:*:*:*, with the flaw originating in third-party parsing logic. When multiple HTTP processing layers (client, intermediary, server) interpret request boundaries differently, attackers can smuggle additional requests through the connection, bypassing security controls.
RemediationAI
Upgrade visualfc liteide to version x38.4 or later immediately. The vendor has released a patch available at https://github.com/visualfc/liteide/pull/1325 (PR #1325) that addresses the HTTP parser inconsistency. Users unable to upgrade immediately should restrict network exposure of any HTTP services provided by liteide, disable or isolate qjsonrpc endpoints if not required, and ensure liteide instances are deployed only within trusted networks behind firewalls. If liteide is used in a multi-user or server context, prioritize patching as the primary remediation.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14701
GHSA-cf47-c3cp-r84w