Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
AnalysisAI
HTTP request smuggling in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows remote unauthenticated attackers to send specially crafted requests that desynchronize front-end and back-end HTTP parsing. Successful exploitation enables cache poisoning, security control bypass, and limited disclosure or modification of data passing through the plug-in, with a CVSS 7.5 reflecting a Changed scope and high confidentiality impact. There is no public exploit identified at time of analysis, EPSS is low at 0.05% (15th percentile), and CISA SSVC marks exploitation status as none.
Technical ContextAI
The IBM Web Server Plug-ins act as a reverse-proxy bridge between front-end web servers (IHS, Apache, IIS) and back-end WebSphere Application Server or Liberty profiles, forwarding HTTP requests over the WebSphere transport. CWE-444 (Inconsistent Interpretation of HTTP Requests) covers HTTP Request Smuggling, where discrepancies in how two HTTP-handling components parse Content-Length, Transfer-Encoding, or request-line framing allow an attacker to inject a second 'smuggled' request boundary inside one TCP stream. The affected CPE cpe:2.3:a:ibm:web_server_plug-ins_for_websphere_application_server_and_websphere_liberty covers all versions through Interim Fix 002 per EUVD data, indicating the parsing inconsistency lives in the plug-in's request-forwarding logic between the front-end web server and the WebSphere container.
RemediationAI
Patch available per vendor advisory: apply the IBM-provided fix referenced at https://www.ibm.com/support/pages/node/7274072 to upgrade beyond Interim Fix 002 on both the 8.5 and 9.0 plug-in streams (exact fix-pack version is published in the IBM advisory and should be matched to your installed plug-in level). Because the plug-in is typically deployed on the front-end web server (IHS/Apache/IIS), update each web-server tier that hosts the plug-in, not just the WebSphere application servers behind it. If immediate patching is not possible, compensating controls include placing a strict HTTP-normalizing reverse proxy or WAF in front of the plug-in to reject ambiguous Content-Length/Transfer-Encoding combinations and pipelined requests (trade-off: may break legitimate clients that rely on keep-alive pipelining), disabling HTTP keep-alive between the front-end web server and back-end where feasible to neutralize smuggling at TCP boundaries (trade-off: noticeable latency and CPU overhead), and restricting plug-in exposure to trusted networks while monitoring for anomalous double Content-Length or conflicting framing headers.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31921
GHSA-qwgm-xj6f-w5v6