Request Smuggling
Monthly
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.
Undertow's improper handling of HTTP requests with leading whitespace in header lines enables remote, unauthenticated request smuggling attacks (CWE-444) against Red Hat middleware and enterprise products. Attackers can exploit this HTTP standard violation to bypass security controls, access restricted data, or poison web caches across a wide deployment base including JBoss EAP 7/8, Red Hat Fuse 7, Data Grid 8, and RHEL 8/9/10 distributions. The CVSS score of 8.7 with changed scope (S:C) and high attack complexity (AC:H) indicates significant impact potential, though no public exploit identified at time of analysis.
Undertow HTTP request smuggling via malformed header terminator allows remote unauthenticated attackers to bypass security controls and manipulate web requests through vulnerable proxies including older Apache Traffic Server and Google Cloud Classic Application Load Balancer. With CVSS 8.7 (High/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), the vulnerability affects multiple Red Hat product lines including JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 distributions. No public exploit identified at time of analysis, though the attack vector is network-accessible and requires no authentication.
Undertow header parsing discrepancies enable HTTP request smuggling attacks against Red Hat middleware and enterprise platforms, allowing remote unauthenticated attackers to bypass security controls and access unauthorized resources. The vulnerability affects multiple Red Hat products including JBoss Enterprise Application Platform 7 and 8, Data Grid 8, Fuse 7, Single Sign-On 7, and Enterprise Linux 8, 9, and 10 distributions. With a CVSS score of 8.7 and changed scope (S:C), attackers can exploit inconsistent header interpretation between Undertow and upstream proxies to smuggle malicious requests past authentication and authorization mechanisms, achieving high confidentiality and integrity impact without requiring authentication.
CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2026-29057 is a security vulnerability (CVSS 6.5) that allows request smuggling. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A critical HTTP Request Smuggling vulnerability exists in Erlang OTP's inets httpd module that allows attackers to desynchronize front-end and back-end servers by exploiting inconsistent Content-Length header parsing. The vulnerability affects Erlang OTP versions from 17.0 through 28.4.0 (inets 5.10 through 9.6.0) and enables attackers to bypass security controls, potentially poisoning web caches or accessing unauthorized resources. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 4.0 score of 7.0 and could lead to significant security boundary violations in production environments using affected Erlang-based web services.
HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade request parameter sanitation and perform a reflected. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Eventlet is a concurrent networking library for Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by placing random data in the HTTP request body when using the HTTP GET method. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
h11 is a Python implementation of HTTP/1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Apache Traffic Server allows request smuggling if chunked messages are malformed.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A critical HTTP Request/Response Smuggling vulnerability (CWE-444) in ithewei libhv library versions up to 1.3.3 allows attackers to manipulate HTTP request interpretation between frontend and backend servers. With a CVSS 4.0 score of 10.0, this vulnerability requires no authentication or user interaction and can be exploited remotely with low complexity. HTTP smuggling attacks can bypass security controls, poison web caches, hijack user sessions, and enable cross-site scripting, making this particularly dangerous in environments using libhv as a reverse proxy or HTTP server component.
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.
Undertow's improper handling of HTTP requests with leading whitespace in header lines enables remote, unauthenticated request smuggling attacks (CWE-444) against Red Hat middleware and enterprise products. Attackers can exploit this HTTP standard violation to bypass security controls, access restricted data, or poison web caches across a wide deployment base including JBoss EAP 7/8, Red Hat Fuse 7, Data Grid 8, and RHEL 8/9/10 distributions. The CVSS score of 8.7 with changed scope (S:C) and high attack complexity (AC:H) indicates significant impact potential, though no public exploit identified at time of analysis.
Undertow HTTP request smuggling via malformed header terminator allows remote unauthenticated attackers to bypass security controls and manipulate web requests through vulnerable proxies including older Apache Traffic Server and Google Cloud Classic Application Load Balancer. With CVSS 8.7 (High/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), the vulnerability affects multiple Red Hat product lines including JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 distributions. No public exploit identified at time of analysis, though the attack vector is network-accessible and requires no authentication.
Undertow header parsing discrepancies enable HTTP request smuggling attacks against Red Hat middleware and enterprise platforms, allowing remote unauthenticated attackers to bypass security controls and access unauthorized resources. The vulnerability affects multiple Red Hat products including JBoss Enterprise Application Platform 7 and 8, Data Grid 8, Fuse 7, Single Sign-On 7, and Enterprise Linux 8, 9, and 10 distributions. With a CVSS score of 8.7 and changed scope (S:C), attackers can exploit inconsistent header interpretation between Undertow and upstream proxies to smuggle malicious requests past authentication and authorization mechanisms, achieving high confidentiality and integrity impact without requiring authentication.
CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2026-29057 is a security vulnerability (CVSS 6.5) that allows request smuggling. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A critical HTTP Request Smuggling vulnerability exists in Erlang OTP's inets httpd module that allows attackers to desynchronize front-end and back-end servers by exploiting inconsistent Content-Length header parsing. The vulnerability affects Erlang OTP versions from 17.0 through 28.4.0 (inets 5.10 through 9.6.0) and enables attackers to bypass security controls, potentially poisoning web caches or accessing unauthorized resources. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 4.0 score of 7.0 and could lead to significant security boundary violations in production environments using affected Erlang-based web services.
HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade request parameter sanitation and perform a reflected. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Eventlet is a concurrent networking library for Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by placing random data in the HTTP request body when using the HTTP GET method. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
h11 is a Python implementation of HTTP/1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Apache Traffic Server allows request smuggling if chunked messages are malformed.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A critical HTTP Request/Response Smuggling vulnerability (CWE-444) in ithewei libhv library versions up to 1.3.3 allows attackers to manipulate HTTP request interpretation between frontend and backend servers. With a CVSS 4.0 score of 10.0, this vulnerability requires no authentication or user interaction and can be exploited remotely with low complexity. HTTP smuggling attacks can bypass security controls, poison web caches, hijack user sessions, and enable cross-site scripting, making this particularly dangerous in environments using libhv as a reverse proxy or HTTP server component.
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.