Skip to main content

HTTP Request Smuggling

web HIGH

HTTP request smuggling exploits inconsistencies in how front-end and back-end servers parse HTTP message boundaries.

How It Works

HTTP request smuggling exploits inconsistencies in how front-end and back-end servers parse HTTP message boundaries. When a reverse proxy or load balancer forwards requests to a back-end server, both must agree on where one request ends and the next begins. This boundary is defined by either Content-Length (specifying exact body bytes) or Transfer-Encoding: chunked (indicating variable-length chunks). When servers interpret these headers differently, an attacker can craft a malicious request that appears as one request to the front-end but becomes two requests to the back-end.

The classic CL.TE variant works when the front-end prioritizes Content-Length while the back-end honors Transfer-Encoding. An attacker sends a request with both headers where the Content-Length value is smaller than the actual body. The front-end forwards the entire request, believing it ends earlier than it actually does. The back-end processes the declared content length as one request, then interprets the remaining bytes as the start of a new request—which gets prepended to the next legitimate user's request that arrives.

The TE.CL variant reverses this: the front-end reads chunked encoding while the back-end uses Content-Length. TE.TE attacks exploit even subtler differences—both servers support chunked encoding, but one can be tricked through obfuscation like extra spaces, mixed-case headers, or duplicate Transfer-Encoding directives. The attacker's smuggled request fragment poisons the request stream, affecting whatever user request follows.

Impact

  • Authentication bypass — smuggled requests inherit the authenticated session of the subsequent victim request
  • Request hijacking — capture sensitive data (credentials, tokens, API keys) from other users' requests by smuggling a prefix that logs or reflects their data
  • Web cache poisoning — inject malicious content that gets cached and served to all users accessing that resource
  • Cross-site scripting — smuggle requests that inject JavaScript payloads into responses served to other users
  • Access control circumvention — route requests to restricted endpoints by bypassing front-end security filters

Real-World Examples

Security researchers discovered request smuggling vulnerabilities in major CDN providers and reverse proxies throughout 2019-2020, affecting services that process billions of requests daily. Attackers successfully bypassed WAF protections by smuggling malicious payloads that the security layer never inspected, since the WAF and back-end disagreed on request boundaries.

E-commerce platforms running vulnerable configurations experienced account takeover attacks where smuggled requests captured session tokens from subsequent legitimate user requests, granting attackers full account access without credential theft.

Content delivery networks suffered cache poisoning incidents where attackers smuggled requests causing the CDN to cache malicious JavaScript, which was then served to thousands of users requesting the same resource.

Mitigation

  • Deploy HTTP/2 end-to-end — eliminates ambiguity since HTTP/2 uses binary framing with explicit length prefixes
  • Reject ambiguous requests — drop any request containing both Content-Length and Transfer-Encoding headers
  • Normalize forwarded requests — ensure the front-end rewrites requests to use only one length mechanism before forwarding
  • Disable back-end connection reuse — configure each back-end request to use a fresh connection (reduces performance but prevents smuggling)
  • Use identical HTTP parsing — deploy the same server software for both front-end and back-end tiers

Recent CVEs (254)

EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

A vulnerability was found in the Keycloak Server. Rated medium severity (CVSS 4.7). No vendor patch available.

Request Smuggling Denial Of Service
NVD
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Authentication Bypass Python Request Smuggling +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Libsoup
NVD
EPSS 0% CVSS 7.5
HIGH This Week

kmqtt v0.2.7 is vulnerable to Denial of Service (DoS) due to a Null Pointer Exception. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Request Smuggling Kmqtt
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Infrastructure). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Request Smuggling Denial Of Service Oracle +1
NVD
EPSS 0% CVSS 8.9
HIGH This Week

An HTTP Request Smuggling vulnerability in Looker allowed an unauthorized attacker to capture HTTP responses destined for legitimate users. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Request Smuggling Google +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Request Smuggling Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Request Smuggling Mastodon
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Loway - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Queuemetrics
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Joomla
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure +1
NVD
EPSS 1% CVSS 8.6
HIGH This Week

This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Cf Deployment +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Next.js is a React framework that can provide building blocks to create web applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Next Js
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM This Month

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.8.0, 3.9.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Vulnerability in the Oracle Production Scheduling product of Oracle E-Business Suite (component: Import Utility). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Request Smuggling Oracle +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

TOMP Bare Server implements the TompHTTP bare server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Tomp Bare Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Request Smuggling G5Dfr Firmware
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Login - SSO). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Denial Of Service Oracle +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Puma
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Reply From
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling +1
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 25% CVSS 9.9
CRITICAL KEV THREAT Act Now

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Request Smuggling Microsoft +1
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

yt-dlp is a youtube-dl fork with additional features and fixes. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Yt Dlp
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Open Redirect +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 5% CVSS 5.3
MEDIUM This Month

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Squid +7
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Twisted is an event-based framework for internet applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Twisted
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

HPE MSA Controller prior to version IN210R004 could be remotely exploited to allow inconsistent interpretation of HTTP requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Msa 1060 Storage Firmware +2
NVD
EPSS 85% CVSS 9.9
CRITICAL POC KEV THREAT Act Now

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier,. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Microsoft +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Puma is a Ruby/Rack web server built for parallelism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma
NVD GitHub
EPSS 2% CVSS 7.2
HIGH POC PATCH This Week

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Haproxy
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL Act Now

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.2.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

protocol-http1 provides a low-level implementation of the HTTP/1 protocol. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Protocol Http1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

VMware Horizon Server contains a HTTP request smuggling vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure VMware Request Smuggling +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 9.4
CRITICAL Act Now

An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49,. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling +1
NVD
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Emby Releases
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Lavalite
NVD GitHub
EPSS 3% CVSS 7.3
HIGH This Week

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Haproxy
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Mediawiki +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.4.30 through 2.4.55. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +3
NVD
EPSS 84% CVSS 9.8
CRITICAL Act Now

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Authentication Bypass +1
NVD
EPSS 5% CVSS 9.1
CRITICAL Act Now

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Authentication Bypass Haproxy +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Smuggling Dell +3
NVD
EPSS 3% CVSS 6.5
MEDIUM POC This Month

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Node Js +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Varnish Cache +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Tomcat Request Smuggling +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
EPSS 45% CVSS 5.4
MEDIUM This Month

Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ivanti Request Smuggling XSS +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Quarkus
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID) value from client queries, which allows attackers (able to send queries to the resolver) to conduct DNS cache-poisoning attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Dproxy Nexgen
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A vulnerability in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Cisco XSS +2
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks.0.0 to 9.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +3
NVD
EPSS 69% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 81% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +4
NVD
EPSS 42% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

HTTP::Daemon is a simple http server class written in perl. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Apache Nginx +2
NVD GitHub
EPSS 19% CVSS 7.5
HIGH This Week

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Request Smuggling +3
NVD
EPSS 8% CVSS 9.8
CRITICAL PATCH Act Now

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Werkzeug
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

A flaw was found in the original fix for the netty-codec-http CVE-2021-21409, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Origin Aggregated Logging
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling +4
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma +2
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Mitmproxy
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling +2
NVD GitHub
EPSS 28% CVSS 9.8
CRITICAL PATCH Act Now

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Apache Request Smuggling +7
NVD
EPSS 5% CVSS 7.5
HIGH This Week

An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling D-Link +1
NVD VulDB
EPSS 3% CVSS 7.5
HIGH This Week

A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

TP-Link Request Smuggling Information Disclosure +1
NVD VulDB
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty +17
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling TP-Link +1
NVD VulDB
EPSS 3% CVSS 7.5
HIGH POC This Week

M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Denial Of Service M Files Web
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling PHP Information Disclosure +1
NVD GitHub
EPSS 5% CVSS 7.5
HIGH This Week

An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S),. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Gt Ax11000 Firmware +17
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Fabric
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM POC PATCH This Month

The parser in accepts requests with a space (SP) right after the header name before the colon. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Llhttp +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Belledonne Belle-sip before 5.0.20 can crash applications such as Linphone via an invalid From header (request URI without a parameter) in an unauthenticated SIP message, a different issue than. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Denial Of Service Belle Sip
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

The parse function in llhttp < 2.1.4 and < 6.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Llhttp +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Request Smuggling Information Disclosure +2
NVD
EPSS 1% CVSS 3.7
LOW PATCH Monitor

Puma is a HTTP 1.1 server for Ruby/Rack applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Apache Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue was discovered in zeek version 4.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Zeek
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Pingaccess
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Mitmproxy
NVD GitHub
EPSS 3% CVSS 9.4
CRITICAL POC Act Now

SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling SAP +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Wha Gw F2D2 0 As Z2 Eth Firmware +1
NVD
Prev Page 2 of 3 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
254

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy