Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

CVEs (331)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-27238 1Lavalite 1Lavalite Jan 27, 2025 May 12, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.
CVE-2023-25950 1Haproxy 1Haproxy Feb 11, 2025 Apr 11, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or caus...Show more HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.Show less
CVE-2023-27493 1Envoyproxy 1Envoy Nov 21, 2024 Apr 4, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating re...Show more Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.Show less
CVE-2023-27491 1Envoyproxy 1Envoy Nov 21, 2024 Apr 4, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There i...Show more Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.Show less
CVE-2023-29141 2Fedoraproject Mediawiki 2Fedora Mediawiki Feb 18, 2025 Mar 31, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.
CVE-2023-27522 3Apache DebianUnbit 3Debian Linux Http ServerUwsgi May 1, 2025 Mar 7, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the...Show more HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.Show less
CVE-2023-25690 1Apache 1Http Server Dec 18, 2025 Mar 7, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or P...Show more Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.Show less
CVE-2023-25725 2Debian Haproxy 2Debian Linux Haproxy Mar 20, 2025 Feb 14, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names,...Show more HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.Show less
CVE-2023-23691 1Dell 3Powervault Me5012 Firmware Powervault Me5024 FirmwarePowervault Me5084 Firmware Nov 21, 2024 Jan 20, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize i...Show more Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS. Show less
CVE-2022-36760 1Apache 1Http Server Apr 4, 2025 Jan 17, 2023 N/A· v4 9.0 CRITICAL· v3 N/A· v2 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue a...Show more Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.Show less
CVE-2022-41721 1Golang 1H2c Apr 4, 2025 Jan 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will...Show more A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.Show less
CVE-2022-35256 4Debian LlhttpNodejs+1 more 4Debian Linux LlhttpNode.js+1 more Apr 24, 2025 Dec 5, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
CVE-2022-38114 1Solarwinds 1Security Event Manager Nov 21, 2024 Nov 23, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.
CVE-2022-45059 2Fedoraproject Varnish Cache Project 2Fedora Varnish Cache May 1, 2025 Nov 9, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing th...Show more An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.Show less
CVE-2022-42252 1Apache 1Tomcat May 6, 2025 Nov 1, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomca...Show more If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.Show less
CVE-2022-2880 1Golang 1Go Nov 21, 2024 Oct 14, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a p...Show more Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.Show less
CVE-2022-21826 2Ivanti Pulsesecure 2Connect Secure Pulse Connect Secure Nov 21, 2024 Sep 30, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the...Show more Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.Show less
CVE-2022-2466 1Quarkus 1Quarkus Nov 21, 2024 Aug 31, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.
CVE-2022-33988 1Dproxy Nexgen Project 1Dproxy Nexgen Nov 21, 2024 Aug 15, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID) value from client queries, which allows attackers (able to send queries to the resolver) to conduct DNS cache-poisoning attacks because the TXID val...Show more dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID) value from client queries, which allows attackers (able to send queries to the resolver) to conduct DNS cache-poisoning attacks because the TXID value is known to the attacker.Show less
CVE-2022-1705 1Golang 1Go Mar 6, 2026 Aug 10, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to re...Show more Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.Show less

Previous 1...8910...17 Next