Monthly
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
HTTP request smuggling in Netty's HttpRequestDecoder allows remote unauthenticated attackers to inject arbitrary HTTP requests by sending malformed Transfer-Encoding headers (specifically 'Transfer-Encoding: chunked, identity'). When Netty is deployed behind a proxy that forwards such requests without rejection, an attacker can smuggle a second request inside the body of the first, bypassing security controls and accessing unintended resources. The vulnerability is confirmed by public proof-of-concept code demonstrating successful parsing of injected requests.
HTTP response desynchronization in Netty's HttpClientCodec allows response body misattribution across pipelined requests when servers send 1xx informational responses. When a client pipelines GET and HEAD requests and the server responds with 103 Early Hints followed by 200 responses, the codec incorrectly pairs the HEAD request with the GET's 200 response, causing the GET response body to remain on the stream and corrupt subsequent response parsing. This enables request smuggling and information disclosure attacks. CVSS 7.3 with network-accessible, unauthenticated attack vector. Publicly available exploit code exists (PoC in GitHub advisory). EPSS data not provided, not listed in CISA KEV. Vendor-released patches available in Netty 4.1.133.Final and 4.2.13.Final.
HTTP request smuggling in Netty's HttpObjectDecoder allows remote attackers to bypass Content-Length sanitization for HTTP/1.0 requests carrying both Transfer-Encoding: chunked and Content-Length headers. Netty strips the conflicting Content-Length only for HTTP/1.1, leaving it intact for HTTP/1.0, causing downstream proxies that prioritize Content-Length to misinterpret message boundaries and process attacker-injected payloads as separate requests. Confirmed actively exploited (CISA KEV not indicated, but reproducible POC provided). Affects Netty 4.2.0–4.2.12 and 4.1.0–4.1.132.
HTTP request smuggling in Netty's chunk size parser allows remote unauthenticated attackers to inject arbitrary HTTP requests by exploiting integer overflow in the hexadecimal chunk size parsing logic. The HttpObjectDecoder.getChunkSize method accumulates the chunk size without proper overflow validation, enabling an attacker to craft a malicious chunk size header that wraps around to a valid size, causing Netty to misinterpret the request boundary and parse injected requests as separate legitimate requests. Publicly available proof-of-concept demonstrates successful parsing of an injected GET request within a chunked POST body, with CVSS score 6.5 (network-accessible, low complexity, no authentication required).
HTTP Request Smuggling in Gazelle (Perl web server) versions through 0.49 enables attackers to smuggle malicious requests through reverse proxies by exploiting incorrect header precedence. Gazelle violates RFC 7230 by prioritizing Content-Length over Transfer-Encoding: chunked when both headers are present, allowing desynchronization between front-end proxies and the backend server. SSVC framework indicates the vulnerability is automatable with partial technical impact, while CVSS 7.5 reflects network-accessible unauthenticated exploitation with high integrity impact. A vendor patch is available via CPANSec.
HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.
HTTP request smuggling in mtrudel bandit before version 1.11.0 allows unauthenticated attackers to bypass edge security controls when the application sits behind a proxy that interprets duplicate Content-Length headers differently. The vulnerability stems from Bandit accepting only the first Content-Length header while proxies may use the last value, causing request framing desynchronization that enables smuggling past WAF rules, path-based ACLs, rate limiting, and audit logging. CVSS 6.3 (AV:N/AC:L/AT:P) indicates network-accessible exploitation with some attack timing complexity; no public exploit code or active KEV listing identified at analysis time, but RFC 9112 non-compliance creates a known attack pattern.
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
HTTP request smuggling in Netty's HttpRequestDecoder allows remote unauthenticated attackers to inject arbitrary HTTP requests by sending malformed Transfer-Encoding headers (specifically 'Transfer-Encoding: chunked, identity'). When Netty is deployed behind a proxy that forwards such requests without rejection, an attacker can smuggle a second request inside the body of the first, bypassing security controls and accessing unintended resources. The vulnerability is confirmed by public proof-of-concept code demonstrating successful parsing of injected requests.
HTTP response desynchronization in Netty's HttpClientCodec allows response body misattribution across pipelined requests when servers send 1xx informational responses. When a client pipelines GET and HEAD requests and the server responds with 103 Early Hints followed by 200 responses, the codec incorrectly pairs the HEAD request with the GET's 200 response, causing the GET response body to remain on the stream and corrupt subsequent response parsing. This enables request smuggling and information disclosure attacks. CVSS 7.3 with network-accessible, unauthenticated attack vector. Publicly available exploit code exists (PoC in GitHub advisory). EPSS data not provided, not listed in CISA KEV. Vendor-released patches available in Netty 4.1.133.Final and 4.2.13.Final.
HTTP request smuggling in Netty's HttpObjectDecoder allows remote attackers to bypass Content-Length sanitization for HTTP/1.0 requests carrying both Transfer-Encoding: chunked and Content-Length headers. Netty strips the conflicting Content-Length only for HTTP/1.1, leaving it intact for HTTP/1.0, causing downstream proxies that prioritize Content-Length to misinterpret message boundaries and process attacker-injected payloads as separate requests. Confirmed actively exploited (CISA KEV not indicated, but reproducible POC provided). Affects Netty 4.2.0–4.2.12 and 4.1.0–4.1.132.
HTTP request smuggling in Netty's chunk size parser allows remote unauthenticated attackers to inject arbitrary HTTP requests by exploiting integer overflow in the hexadecimal chunk size parsing logic. The HttpObjectDecoder.getChunkSize method accumulates the chunk size without proper overflow validation, enabling an attacker to craft a malicious chunk size header that wraps around to a valid size, causing Netty to misinterpret the request boundary and parse injected requests as separate legitimate requests. Publicly available proof-of-concept demonstrates successful parsing of an injected GET request within a chunked POST body, with CVSS score 6.5 (network-accessible, low complexity, no authentication required).
HTTP Request Smuggling in Gazelle (Perl web server) versions through 0.49 enables attackers to smuggle malicious requests through reverse proxies by exploiting incorrect header precedence. Gazelle violates RFC 7230 by prioritizing Content-Length over Transfer-Encoding: chunked when both headers are present, allowing desynchronization between front-end proxies and the backend server. SSVC framework indicates the vulnerability is automatable with partial technical impact, while CVSS 7.5 reflects network-accessible unauthenticated exploitation with high integrity impact. A vendor patch is available via CPANSec.
HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.
HTTP request smuggling in mtrudel bandit before version 1.11.0 allows unauthenticated attackers to bypass edge security controls when the application sits behind a proxy that interprets duplicate Content-Length headers differently. The vulnerability stems from Bandit accepting only the first Content-Length header while proxies may use the last value, causing request framing desynchronization that enables smuggling past WAF rules, path-based ACLs, rate limiting, and audit logging. CVSS 6.3 (AV:N/AC:L/AT:P) indicates network-accessible exploitation with some attack timing complexity; no public exploit code or active KEV listing identified at analysis time, but RFC 9112 non-compliance creates a known attack pattern.
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.