Vulnerabilities > Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

DATE CVE VULNERABILITY TITLE RISK
2023-01-13 CVE-2022-41721 HTTP Request Smuggling vulnerability in Golang H2C
A request smuggling attack is possible when using MaxBytesHandler.
network
low complexity
golang CWE-444
7.5
2022-12-05 CVE-2022-35256 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.
network
low complexity
nodejs llhttp siemens debian CWE-444
6.5
2022-11-23 CVE-2022-38114 HTTP Request Smuggling vulnerability in Solarwinds Security Event Manager
This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests.
network
low complexity
solarwinds CWE-444
6.1
2022-11-09 CVE-2022-45059 HTTP Request Smuggling vulnerability in multiple products
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1.
7.5
2022-11-01 CVE-2022-42252 HTTP Request Smuggling vulnerability in Apache Tomcat
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
network
low complexity
apache CWE-444
7.5
2022-10-14 CVE-2022-2880 HTTP Request Smuggling vulnerability in Golang GO
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http.
network
low complexity
golang CWE-444
7.5
2022-09-30 CVE-2022-21826 HTTP Request Smuggling vulnerability in multiple products
Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket.
network
low complexity
pulsesecure ivanti CWE-444
5.4
2022-08-10 CVE-2022-1705 HTTP Request Smuggling vulnerability in Golang GO
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
network
low complexity
golang CWE-444
6.5
2022-08-10 CVE-2022-25763 HTTP Request Smuggling vulnerability in multiple products
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks.
network
low complexity
apache debian fedoraproject CWE-444
7.5
2022-07-14 CVE-2022-32213 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
6.5