Request Smuggling
Monthly
HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 4.0 AT:P condition signals that specific deployment prerequisites must be met.
Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in Zalando Skipper (<= v0.26.8) lets remote unauthenticated attackers defeat the opaAuthorizeRequestWithBody OPA filter by sending the request body with HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 framing that omits content-length. Because net/http sets ContentLength = -1 for such requests, Skipper's body extractor buffers an empty body, so Rego policies that gate on input.parsed_body evaluate against an empty document, fail open, and forward the forbidden payload upstream. Publicly available exploit code exists (a full E2E Go PoC is embedded in the GHSA advisory); the flaw is not in CISA KEV and no EPSS score was provided.
HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.
HTTP request smuggling in Ruby's WEBrick HTTP server through v1.9.2 allows remote attackers to desynchronize front-end/back-end request parsing by exploiting how WEBrick reparses a Content-Length value supplied in chunked trailers back into the canonical request state. Any deployment fronting WEBrick with a proxy, load balancer, or CDN that disagrees on message length can have requests smuggled past it, enabling request routing manipulation and information disclosure. Publicly available exploit code exists (SSVC exploitation status: poc), though EPSS remains low at 0.16% and it is not on CISA KEV.
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.
Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none; EPSS is low at 0.50% (39th percentile).
WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.
WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. AWS remediated it server-side with no customer action required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
HTTP request/response smuggling in nghttpx (the reverse proxy component of nghttp2 through 1.69.0) allows unauthenticated remote attackers to poison shared backend keep-alive connections by crafting an HTTP/1.1 Upgrade request that simultaneously carries a Content-Length header and body. When nghttpx forwards this ambiguous message to a backend and re-adds Connection and Upgrade headers while passing Content-Length verbatim, a backend that resolves the parsing ambiguity in the attacker's favor treats the body as a separate, attacker-controlled HTTP request - enabling cross-client response-queue poisoning. A publicly available proof-of-concept exploit exists; no CISA KEV listing at time of analysis.
HTTP request smuggling in Envoy proxy (versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1) lets remote attackers desynchronize HTTP/1 upstream connections by sending an HTTP/3 downstream request that is transport-complete (HEADERS with FIN) yet declares a nonzero Content-Length, leaving the translated HTTP/1 request with unresolved body debt. When the HTTP/1 origin replies before reading the body and keeps the connection reusable, the start of Envoy's next upstream request is consumed as the prior request's body, and the remainder is parsed by the origin as a separate, attacker-controlled request. This was demonstrated as a route-bypass: a directly denied /pwn was served to a second downstream stream as a backend-parsed GET /pwn, with no public exploit identified at time of analysis and no CISA KEV listing.
HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.
HTTP/2 request smuggling in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 lets remote unauthenticated clients desynchronize stream boundaries in Psl\H2\ServerConnection by sending DATA frame totals that disagree with the declared content-length header. Only applications that consume the low-level H2 server connection directly to accept untrusted traffic are exposed; high-level PSL APIs are unaffected. No public exploit identified at time of analysis, and the maintainers state the issue was found during internal review prior to public exploitation.
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. No public exploit identified at time of analysis, but the underlying primitive is well documented and the upstream commit 364cdb6 clearly demonstrates the parsing flaw.
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. No public exploit identified at time of analysis, though VulnCheck has published an advisory and the upstream issue/PR describe the bug in detail.
Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics page and smuggle transparent-proxy requests by forging or port-manipulating the HTTP Host header, because stathost detection used a brittle strcmp against the configured hostname. The flaw is a CWE-444 request-interpretation inconsistency reported by VulnCheck; no public exploit identified at time of analysis, though the upstream fix (commit 09312a1) and a detailed PR diff are publicly available, making a working PoC trivial to reconstruct.
Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. No public exploit identified at time of analysis, but x41-dsec disclosed full technical details and a vendor-released patch is available in 0.22.0.
HTTP/2-to-HTTP/1.1 request smuggling in swift-nio-http2 (versions prior to 1.44.1) allows unauthenticated remote attackers to inject arbitrary HTTP headers or smuggle entire requests to backend systems in reverse-proxy configurations. The codecs HTTP2FramePayloadToHTTP1ServerCodec and HTTP2ToHTTP1ServerCodec fail to strip CR, LF, or NUL control characters from HTTP/2 pseudo-header values such as :path and :authority before writing them into the HTTP/1.1 output, enabling the binary-safe HTTP/2 layer to act as a covert channel for control characters that become structural delimiters in HTTP/1.1. No public exploit has been identified at time of analysis, but this vulnerability is a direct extension of two prior confirmed CRLF injection flaws in the same library family (GHSA-7fj7-39wj-c64f and GHSA-cq87-8r7h-962v), indicating a recurring pattern that lowers the technical barrier for exploitation.
HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.
HTTP request smuggling in Kong Gateway Enterprise (3.4, 3.10-3.14 series) enables unauthenticated remote attackers to desynchronize the HTTP/1.1 processing pipeline between Kong and its backend services, achieving high confidentiality and integrity impact against downstream systems. The parsing flaw (CWE-444) exploits ambiguous header interpretation to poison backend request queues, allowing cross-user request hijacking or malicious content injection. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and no active exploitation is confirmed in CISA KEV at time of analysis.
Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.
Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.
HTTP/2 request parsing in Vinyl Cache and Varnish Cache enables backend request desync (HTTP request smuggling), exploitable for cache poisoning, authentication bypass, and information disclosure against affected deployments. Vinyl Cache prior to 9.0.1 and Varnish Cache prior to 9.0.3, plus legacy pre-split Varnish Cache branches spanning versions 6.0.14 through 8.0.1, are confirmed affected across three distinct CPE lineages. Exploitation is gated behind an explicitly non-default configuration - HTTP/2 must be enabled via the +http2 feature parameter - which substantially limits exposure; no public exploit code and no CISA KEV listing have been identified at time of analysis.
HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-controlled upstream servers to desynchronize response framing on shared connections by exploiting a non-RFC-compliant Content-Length parser. Mint's parser accepts sign-prefixed integers such as '+0' or '+123' that RFC 7230 forbids, creating a disagreement with RFC-strict fronting proxies about where one HTTP response body ends and the next begins. When Mint reuses connections via keep-alive, pipelining, or pooling across trust boundaries, this parser mismatch can be weaponized to leak bytes from one requester's response into another's stream. No public exploit code has been identified at time of analysis, and no KEV listing exists; a vendor patch (v1.9.0) is available.
HTTP request smuggling in libsoup allows remote unauthenticated attackers to exploit an unsigned-to-signed integer conversion error in the `soup_body_input_stream_read_chunked()` function via a crafted HTTP request. The vulnerability is confined to specific proxy topologies where libsoup operates either behind or in front of a non-libsoup HTTP intermediary, and successful exploitation can result in authentication bypass, web cache poisoning, or unauthorized access. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the integrity and confidentiality impacts warrant urgent attention in any affected mixed-proxy deployment.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Remote code execution and denial of service in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 stem from improper input validation (CWE-444 HTTP Request Smuggling). Unauthenticated network attackers can send crafted requests that desynchronize the plug-in's request parsing, potentially achieving full compromise of the application tier. No public exploit identified at time of analysis, and EPSS remains low (0.06%), but the vendor confirms a patch and CISA SSVC rates the technical impact as total with automatable exploitation.
HTTP request smuggling in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows remote unauthenticated attackers to send specially crafted requests that desynchronize front-end and back-end HTTP parsing. Successful exploitation enables cache poisoning, security control bypass, and limited disclosure or modification of data passing through the plug-in, with a CVSS 7.5 reflecting a Changed scope and high confidentiality impact. There is no public exploit identified at time of analysis, EPSS is low at 0.05% (15th percentile), and CISA SSVC marks exploitation status as none.
HTTP request smuggling in Netty's HttpRequestDecoder allows remote unauthenticated attackers to inject arbitrary HTTP requests by sending malformed Transfer-Encoding headers (specifically 'Transfer-Encoding: chunked, identity'). When Netty is deployed behind a proxy that forwards such requests without rejection, an attacker can smuggle a second request inside the body of the first, bypassing security controls and accessing unintended resources. The vulnerability is confirmed by public proof-of-concept code demonstrating successful parsing of injected requests.
HTTP response desynchronization in Netty's HttpClientCodec (netty-codec-http 4.1.x through 4.1.132.Final and 4.2.0.Alpha1 through 4.2.12.Final) lets a malicious or misbehaving server cause one request's response body to be parsed as another's. Because the codec polls its request queue once per inbound response — including for informational 1xx — a pipelined GET+HEAD sequence preceded by a 103 mispairs the HEAD with the GET's 200, leaving GET entity bytes on the wire so the following response is parsed from the wrong offset. Rated CVSS 9.1 (I:H/A:H), publicly available exploit code exists (a vendor PoC ships in the advisory), though EPSS is very low (0.04%) and it is not on CISA KEV.
HTTP request smuggling in Netty's netty-codec-http (HttpObjectDecoder) lets remote attackers desynchronize message boundaries by sending an HTTP/1.0 request carrying both Transfer-Encoding: chunked and Content-Length. Netty's anti-smuggling sanitization that strips the conflicting Content-Length header only runs for HTTP/1.1, so on HTTP/1.0 Netty parses the body as chunked while leaving Content-Length intact for any downstream Content-Length-first proxy, which then treats trailing chunk bytes as a new request. Publicly available exploit code exists (a working EmbeddedChannel PoC test), but EPSS is very low (0.03%, 8th percentile) and it is not in CISA KEV.
HTTP request smuggling in Netty's chunk size parser allows remote unauthenticated attackers to inject arbitrary HTTP requests by exploiting integer overflow in the hexadecimal chunk size parsing logic. The HttpObjectDecoder.getChunkSize method accumulates the chunk size without proper overflow validation, enabling an attacker to craft a malicious chunk size header that wraps around to a valid size, causing Netty to misinterpret the request boundary and parse injected requests as separate legitimate requests. Publicly available proof-of-concept demonstrates successful parsing of an injected GET request within a chunked POST body, with CVSS score 6.5 (network-accessible, low complexity, no authentication required).
HTTP Request Smuggling in Gazelle (Perl web server) versions through 0.49 enables attackers to smuggle malicious requests through reverse proxies by exploiting incorrect header precedence. Gazelle violates RFC 7230 by prioritizing Content-Length over Transfer-Encoding: chunked when both headers are present, allowing desynchronization between front-end proxies and the backend server. SSVC framework indicates the vulnerability is automatable with partial technical impact, while CVSS 7.5 reflects network-accessible unauthenticated exploitation with high integrity impact. A vendor patch is available via CPANSec.
HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.
HTTP request smuggling in mtrudel bandit before version 1.11.0 allows unauthenticated attackers to bypass edge security controls when the application sits behind a proxy that interprets duplicate Content-Length headers differently. The vulnerability stems from Bandit accepting only the first Content-Length header while proxies may use the last value, causing request framing desynchronization that enables smuggling past WAF rules, path-based ACLs, rate limiting, and audit logging. CVSS 6.3 (AV:N/AC:L/AT:P) indicates network-accessible exploitation with some attack timing complexity; no public exploit code or active KEV listing identified at analysis time, but RFC 9112 non-compliance creates a known attack pattern.
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
HTTP request smuggling in Apache Pony Mail (Lua implementation) enables remote unauthenticated attackers to achieve complete admin account takeover with critical impact across confidentiality, integrity, and availability. This affects all versions of the retired Lua codebase - Apache has abandoned support with no patch planned, recommending migration to alternative solutions. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction.
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing inconsistencies between front-end and back-end servers, potentially leading to limited information disclosure through cache poisoning or request hijacking attacks. The vulnerability has a CVSS score of 3.7 with low confidentiality impact but no direct availability or integrity impact.
HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. `1;a="`) rather than rejecting it, so attacker-controlled bytes are reinterpreted as a second, smuggled request on the same TCP connection. Publicly available exploit code exists (a working Python PoC ships in the GHSA advisory), though EPSS is very low (0.03%, 9th percentile) and the issue is not on CISA KEV.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.
CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
An HTTP Request/Response Smuggling vulnerability exists in visualfc liteide due to inconsistent interpretation of HTTP requests in the HTTP parser component (http_parser.C), classified under CWE-444. This affects liteide versions before x38.4, allowing attackers to exploit the qjsonrpc HTTP parser module to smuggle malicious requests. An attacker could leverage this vulnerability to perform request smuggling attacks, potentially leading to cache poisoning, session hijacking, or information disclosure depending on the deployment context and HTTP intermediaries involved.
CVE-2026-29057 is a security vulnerability (CVSS 6.5) that allows request smuggling. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A critical HTTP Request Smuggling vulnerability exists in Erlang OTP's inets httpd module that allows attackers to desynchronize front-end and back-end servers by exploiting inconsistent Content-Length header parsing. The vulnerability affects Erlang OTP versions from 17.0 through 28.4.0 (inets 5.10 through 9.6.0) and enables attackers to bypass security controls, potentially poisoning web caches or accessing unauthorized resources. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 4.0 score of 7.0 and could lead to significant security boundary violations in production environments using affected Erlang-based web services.
Cisco Secure Firewall ASA and FTD devices with VPN web services enabled are vulnerable to cross-site request forgery (CSRF) attacks due to insufficient HTTP request validation. An attacker can trick users into visiting a malicious website that sends crafted requests to the affected appliance, potentially allowing injection of malicious content reflected back to the victim's browser. No patch is currently available for this vulnerability.
An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header [CVSS 5.8 MEDIUM]
HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.
HTTP request smuggling in H3 framework versions before 1.15.5 allows remote attackers to bypass security controls by exploiting improper case-sensitive validation of the Transfer-Encoding header. The vulnerability enables attackers to inject malicious requests that diverge between client and server parsing, potentially leading to cache poisoning, session hijacking, or other attacks. Public exploit code exists for this vulnerability.
HTTP request smuggling in libsoup, GNOME's HTTP client/server library, lets remote unauthenticated attackers exploit inconsistent Host header parsing: libsoup accepts multiple Host: headers and processes the last occurrence, while common front-end proxies honor the first. Supplying duplicate Host headers creates a proxy/backend mismatch enabling vhost confusion, request smuggling, cache poisoning, and bypass of host-based access controls. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Red Hat has shipped fixes across numerous products (15 RHSA errata).
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade request parameter sanitation and perform a reflected. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Eventlet is a concurrent networking library for Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by placing random data in the HTTP request body when using the HTTP GET method. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
h11 is a Python implementation of HTTP/1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Apache Traffic Server allows request smuggling if chunked messages are malformed.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A critical HTTP Request/Response Smuggling vulnerability (CWE-444) in ithewei libhv library versions up to 1.3.3 allows attackers to manipulate HTTP request interpretation between frontend and backend servers. With a CVSS 4.0 score of 10.0, this vulnerability requires no authentication or user interaction and can be exploited remotely with low complexity. HTTP smuggling attacks can bypass security controls, poison web caches, hijack user sessions, and enable cross-site scripting, making this particularly dangerous in environments using libhv as a reverse proxy or HTTP server component.
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in the Keycloak Server. Rated medium severity (CVSS 4.7). No vendor patch available.
HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 4.0 AT:P condition signals that specific deployment prerequisites must be met.
Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in Zalando Skipper (<= v0.26.8) lets remote unauthenticated attackers defeat the opaAuthorizeRequestWithBody OPA filter by sending the request body with HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 framing that omits content-length. Because net/http sets ContentLength = -1 for such requests, Skipper's body extractor buffers an empty body, so Rego policies that gate on input.parsed_body evaluate against an empty document, fail open, and forward the forbidden payload upstream. Publicly available exploit code exists (a full E2E Go PoC is embedded in the GHSA advisory); the flaw is not in CISA KEV and no EPSS score was provided.
HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.
HTTP request smuggling in Ruby's WEBrick HTTP server through v1.9.2 allows remote attackers to desynchronize front-end/back-end request parsing by exploiting how WEBrick reparses a Content-Length value supplied in chunked trailers back into the canonical request state. Any deployment fronting WEBrick with a proxy, load balancer, or CDN that disagrees on message length can have requests smuggled past it, enabling request routing manipulation and information disclosure. Publicly available exploit code exists (SSVC exploitation status: poc), though EPSS remains low at 0.16% and it is not on CISA KEV.
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.
Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none; EPSS is low at 0.50% (39th percentile).
WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.
WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. AWS remediated it server-side with no customer action required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
HTTP request/response smuggling in nghttpx (the reverse proxy component of nghttp2 through 1.69.0) allows unauthenticated remote attackers to poison shared backend keep-alive connections by crafting an HTTP/1.1 Upgrade request that simultaneously carries a Content-Length header and body. When nghttpx forwards this ambiguous message to a backend and re-adds Connection and Upgrade headers while passing Content-Length verbatim, a backend that resolves the parsing ambiguity in the attacker's favor treats the body as a separate, attacker-controlled HTTP request - enabling cross-client response-queue poisoning. A publicly available proof-of-concept exploit exists; no CISA KEV listing at time of analysis.
HTTP request smuggling in Envoy proxy (versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1) lets remote attackers desynchronize HTTP/1 upstream connections by sending an HTTP/3 downstream request that is transport-complete (HEADERS with FIN) yet declares a nonzero Content-Length, leaving the translated HTTP/1 request with unresolved body debt. When the HTTP/1 origin replies before reading the body and keeps the connection reusable, the start of Envoy's next upstream request is consumed as the prior request's body, and the remainder is parsed by the origin as a separate, attacker-controlled request. This was demonstrated as a route-bypass: a directly denied /pwn was served to a second downstream stream as a backend-parsed GET /pwn, with no public exploit identified at time of analysis and no CISA KEV listing.
HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.
HTTP/2 request smuggling in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 lets remote unauthenticated clients desynchronize stream boundaries in Psl\H2\ServerConnection by sending DATA frame totals that disagree with the declared content-length header. Only applications that consume the low-level H2 server connection directly to accept untrusted traffic are exposed; high-level PSL APIs are unaffected. No public exploit identified at time of analysis, and the maintainers state the issue was found during internal review prior to public exploitation.
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. No public exploit identified at time of analysis, but the underlying primitive is well documented and the upstream commit 364cdb6 clearly demonstrates the parsing flaw.
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. No public exploit identified at time of analysis, though VulnCheck has published an advisory and the upstream issue/PR describe the bug in detail.
Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics page and smuggle transparent-proxy requests by forging or port-manipulating the HTTP Host header, because stathost detection used a brittle strcmp against the configured hostname. The flaw is a CWE-444 request-interpretation inconsistency reported by VulnCheck; no public exploit identified at time of analysis, though the upstream fix (commit 09312a1) and a detailed PR diff are publicly available, making a working PoC trivial to reconstruct.
Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. No public exploit identified at time of analysis, but x41-dsec disclosed full technical details and a vendor-released patch is available in 0.22.0.
HTTP/2-to-HTTP/1.1 request smuggling in swift-nio-http2 (versions prior to 1.44.1) allows unauthenticated remote attackers to inject arbitrary HTTP headers or smuggle entire requests to backend systems in reverse-proxy configurations. The codecs HTTP2FramePayloadToHTTP1ServerCodec and HTTP2ToHTTP1ServerCodec fail to strip CR, LF, or NUL control characters from HTTP/2 pseudo-header values such as :path and :authority before writing them into the HTTP/1.1 output, enabling the binary-safe HTTP/2 layer to act as a covert channel for control characters that become structural delimiters in HTTP/1.1. No public exploit has been identified at time of analysis, but this vulnerability is a direct extension of two prior confirmed CRLF injection flaws in the same library family (GHSA-7fj7-39wj-c64f and GHSA-cq87-8r7h-962v), indicating a recurring pattern that lowers the technical barrier for exploitation.
HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.
HTTP request smuggling in Kong Gateway Enterprise (3.4, 3.10-3.14 series) enables unauthenticated remote attackers to desynchronize the HTTP/1.1 processing pipeline between Kong and its backend services, achieving high confidentiality and integrity impact against downstream systems. The parsing flaw (CWE-444) exploits ambiguous header interpretation to poison backend request queues, allowing cross-user request hijacking or malicious content injection. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and no active exploitation is confirmed in CISA KEV at time of analysis.
Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.
Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.
HTTP/2 request parsing in Vinyl Cache and Varnish Cache enables backend request desync (HTTP request smuggling), exploitable for cache poisoning, authentication bypass, and information disclosure against affected deployments. Vinyl Cache prior to 9.0.1 and Varnish Cache prior to 9.0.3, plus legacy pre-split Varnish Cache branches spanning versions 6.0.14 through 8.0.1, are confirmed affected across three distinct CPE lineages. Exploitation is gated behind an explicitly non-default configuration - HTTP/2 must be enabled via the +http2 feature parameter - which substantially limits exposure; no public exploit code and no CISA KEV listing have been identified at time of analysis.
HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-controlled upstream servers to desynchronize response framing on shared connections by exploiting a non-RFC-compliant Content-Length parser. Mint's parser accepts sign-prefixed integers such as '+0' or '+123' that RFC 7230 forbids, creating a disagreement with RFC-strict fronting proxies about where one HTTP response body ends and the next begins. When Mint reuses connections via keep-alive, pipelining, or pooling across trust boundaries, this parser mismatch can be weaponized to leak bytes from one requester's response into another's stream. No public exploit code has been identified at time of analysis, and no KEV listing exists; a vendor patch (v1.9.0) is available.
HTTP request smuggling in libsoup allows remote unauthenticated attackers to exploit an unsigned-to-signed integer conversion error in the `soup_body_input_stream_read_chunked()` function via a crafted HTTP request. The vulnerability is confined to specific proxy topologies where libsoup operates either behind or in front of a non-libsoup HTTP intermediary, and successful exploitation can result in authentication bypass, web cache poisoning, or unauthorized access. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the integrity and confidentiality impacts warrant urgent attention in any affected mixed-proxy deployment.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Remote code execution and denial of service in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 stem from improper input validation (CWE-444 HTTP Request Smuggling). Unauthenticated network attackers can send crafted requests that desynchronize the plug-in's request parsing, potentially achieving full compromise of the application tier. No public exploit identified at time of analysis, and EPSS remains low (0.06%), but the vendor confirms a patch and CISA SSVC rates the technical impact as total with automatable exploitation.
HTTP request smuggling in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows remote unauthenticated attackers to send specially crafted requests that desynchronize front-end and back-end HTTP parsing. Successful exploitation enables cache poisoning, security control bypass, and limited disclosure or modification of data passing through the plug-in, with a CVSS 7.5 reflecting a Changed scope and high confidentiality impact. There is no public exploit identified at time of analysis, EPSS is low at 0.05% (15th percentile), and CISA SSVC marks exploitation status as none.
HTTP request smuggling in Netty's HttpRequestDecoder allows remote unauthenticated attackers to inject arbitrary HTTP requests by sending malformed Transfer-Encoding headers (specifically 'Transfer-Encoding: chunked, identity'). When Netty is deployed behind a proxy that forwards such requests without rejection, an attacker can smuggle a second request inside the body of the first, bypassing security controls and accessing unintended resources. The vulnerability is confirmed by public proof-of-concept code demonstrating successful parsing of injected requests.
HTTP response desynchronization in Netty's HttpClientCodec (netty-codec-http 4.1.x through 4.1.132.Final and 4.2.0.Alpha1 through 4.2.12.Final) lets a malicious or misbehaving server cause one request's response body to be parsed as another's. Because the codec polls its request queue once per inbound response — including for informational 1xx — a pipelined GET+HEAD sequence preceded by a 103 mispairs the HEAD with the GET's 200, leaving GET entity bytes on the wire so the following response is parsed from the wrong offset. Rated CVSS 9.1 (I:H/A:H), publicly available exploit code exists (a vendor PoC ships in the advisory), though EPSS is very low (0.04%) and it is not on CISA KEV.
HTTP request smuggling in Netty's netty-codec-http (HttpObjectDecoder) lets remote attackers desynchronize message boundaries by sending an HTTP/1.0 request carrying both Transfer-Encoding: chunked and Content-Length. Netty's anti-smuggling sanitization that strips the conflicting Content-Length header only runs for HTTP/1.1, so on HTTP/1.0 Netty parses the body as chunked while leaving Content-Length intact for any downstream Content-Length-first proxy, which then treats trailing chunk bytes as a new request. Publicly available exploit code exists (a working EmbeddedChannel PoC test), but EPSS is very low (0.03%, 8th percentile) and it is not in CISA KEV.
HTTP request smuggling in Netty's chunk size parser allows remote unauthenticated attackers to inject arbitrary HTTP requests by exploiting integer overflow in the hexadecimal chunk size parsing logic. The HttpObjectDecoder.getChunkSize method accumulates the chunk size without proper overflow validation, enabling an attacker to craft a malicious chunk size header that wraps around to a valid size, causing Netty to misinterpret the request boundary and parse injected requests as separate legitimate requests. Publicly available proof-of-concept demonstrates successful parsing of an injected GET request within a chunked POST body, with CVSS score 6.5 (network-accessible, low complexity, no authentication required).
HTTP Request Smuggling in Gazelle (Perl web server) versions through 0.49 enables attackers to smuggle malicious requests through reverse proxies by exploiting incorrect header precedence. Gazelle violates RFC 7230 by prioritizing Content-Length over Transfer-Encoding: chunked when both headers are present, allowing desynchronization between front-end proxies and the backend server. SSVC framework indicates the vulnerability is automatable with partial technical impact, while CVSS 7.5 reflects network-accessible unauthenticated exploitation with high integrity impact. A vendor patch is available via CPANSec.
HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.
HTTP request smuggling in mtrudel bandit before version 1.11.0 allows unauthenticated attackers to bypass edge security controls when the application sits behind a proxy that interprets duplicate Content-Length headers differently. The vulnerability stems from Bandit accepting only the first Content-Length header while proxies may use the last value, causing request framing desynchronization that enables smuggling past WAF rules, path-based ACLs, rate limiting, and audit logging. CVSS 6.3 (AV:N/AC:L/AT:P) indicates network-accessible exploitation with some attack timing complexity; no public exploit code or active KEV listing identified at analysis time, but RFC 9112 non-compliance creates a known attack pattern.
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
HTTP request smuggling in Apache Pony Mail (Lua implementation) enables remote unauthenticated attackers to achieve complete admin account takeover with critical impact across confidentiality, integrity, and availability. This affects all versions of the retired Lua codebase - Apache has abandoned support with no patch planned, recommending migration to alternative solutions. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction.
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing inconsistencies between front-end and back-end servers, potentially leading to limited information disclosure through cache poisoning or request hijacking attacks. The vulnerability has a CVSS score of 3.7 with low confidentiality impact but no direct availability or integrity impact.
HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. `1;a="`) rather than rejecting it, so attacker-controlled bytes are reinterpreted as a second, smuggled request on the same TCP connection. Publicly available exploit code exists (a working Python PoC ships in the GHSA advisory), though EPSS is very low (0.03%, 9th percentile) and the issue is not on CISA KEV.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.
CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
An HTTP Request/Response Smuggling vulnerability exists in visualfc liteide due to inconsistent interpretation of HTTP requests in the HTTP parser component (http_parser.C), classified under CWE-444. This affects liteide versions before x38.4, allowing attackers to exploit the qjsonrpc HTTP parser module to smuggle malicious requests. An attacker could leverage this vulnerability to perform request smuggling attacks, potentially leading to cache poisoning, session hijacking, or information disclosure depending on the deployment context and HTTP intermediaries involved.
CVE-2026-29057 is a security vulnerability (CVSS 6.5) that allows request smuggling. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A critical HTTP Request Smuggling vulnerability exists in Erlang OTP's inets httpd module that allows attackers to desynchronize front-end and back-end servers by exploiting inconsistent Content-Length header parsing. The vulnerability affects Erlang OTP versions from 17.0 through 28.4.0 (inets 5.10 through 9.6.0) and enables attackers to bypass security controls, potentially poisoning web caches or accessing unauthorized resources. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 4.0 score of 7.0 and could lead to significant security boundary violations in production environments using affected Erlang-based web services.
Cisco Secure Firewall ASA and FTD devices with VPN web services enabled are vulnerable to cross-site request forgery (CSRF) attacks due to insufficient HTTP request validation. An attacker can trick users into visiting a malicious website that sends crafted requests to the affected appliance, potentially allowing injection of malicious content reflected back to the victim's browser. No patch is currently available for this vulnerability.
An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header [CVSS 5.8 MEDIUM]
HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.
HTTP request smuggling in H3 framework versions before 1.15.5 allows remote attackers to bypass security controls by exploiting improper case-sensitive validation of the Transfer-Encoding header. The vulnerability enables attackers to inject malicious requests that diverge between client and server parsing, potentially leading to cache poisoning, session hijacking, or other attacks. Public exploit code exists for this vulnerability.
HTTP request smuggling in libsoup, GNOME's HTTP client/server library, lets remote unauthenticated attackers exploit inconsistent Host header parsing: libsoup accepts multiple Host: headers and processes the last occurrence, while common front-end proxies honor the first. Supplying duplicate Host headers creates a proxy/backend mismatch enabling vhost confusion, request smuggling, cache poisoning, and bypass of host-based access controls. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Red Hat has shipped fixes across numerous products (15 RHSA errata).
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade request parameter sanitation and perform a reflected. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Eventlet is a concurrent networking library for Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by placing random data in the HTTP request body when using the HTTP GET method. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
h11 is a Python implementation of HTTP/1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Apache Traffic Server allows request smuggling if chunked messages are malformed.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A critical HTTP Request/Response Smuggling vulnerability (CWE-444) in ithewei libhv library versions up to 1.3.3 allows attackers to manipulate HTTP request interpretation between frontend and backend servers. With a CVSS 4.0 score of 10.0, this vulnerability requires no authentication or user interaction and can be exploited remotely with low complexity. HTTP smuggling attacks can bypass security controls, poison web caches, hijack user sessions, and enable cross-site scripting, making this particularly dangerous in environments using libhv as a reverse proxy or HTTP server component.
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in the Keycloak Server. Rated medium severity (CVSS 4.7). No vendor patch available.