Total
247 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-23167 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
| A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. | |||||
| CVE-2025-47905 | 2025-05-16 | N/A | 5.4 MEDIUM | ||
| Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries. | |||||
| CVE-2024-56523 | 2025-05-12 | N/A | 9.1 CRITICAL | ||
| Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by placing random data in the HTTP request body when using the HTTP GET method. | |||||
| CVE-2024-20915 | 1 Oracle | 1 Application Object Library | 2025-05-07 | N/A | 5.3 MEDIUM |
| Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Login - SSO). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Object Library. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). | |||||
| CVE-2024-34535 | 1 Joinmastodon | 1 Mastodon | 2025-05-06 | N/A | 5.9 MEDIUM |
| In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. | |||||
| CVE-2022-42252 | 1 Apache | 1 Tomcat | 2025-05-06 | N/A | 7.5 HIGH |
| If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. | |||||
| CVE-2023-51747 | 1 Apache | 1 James | 2025-05-05 | N/A | 7.1 HIGH |
| Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions. | |||||
| CVE-2020-11993 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2025-05-01 | 4.3 MEDIUM | 7.5 HIGH |
| Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. | |||||
| CVE-2022-26377 | 3 Apache, Fedoraproject, Netapp | 3 Http Server, Fedora, Clustered Data Ontap | 2025-05-01 | 5.0 MEDIUM | 7.5 HIGH |
| Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. | |||||
| CVE-2023-27522 | 3 Apache, Debian, Unbit | 3 Http Server, Debian Linux, Uwsgi | 2025-05-01 | N/A | 7.5 HIGH |
| HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. | |||||
| CVE-2022-45059 | 2 Fedoraproject, Varnish Cache Project | 2 Fedora, Varnish Cache | 2025-05-01 | N/A | 7.5 HIGH |
| An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. | |||||
| CVE-2024-53868 | 1 Apache | 1 Traffic Server | 2025-04-29 | N/A | 7.5 HIGH |
| Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue. | |||||
| CVE-2025-43859 | 2025-04-29 | N/A | 9.1 CRITICAL | ||
| h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue. | |||||
| CVE-2024-35538 | 1 Typecho | 1 Typecho | 2025-04-28 | N/A | 5.3 MEDIUM |
| Typecho v1.3.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as value of X-Forwarded-For or Client-Ip headers while performing HTTP requests. | |||||
| CVE-2022-35256 | 4 Debian, Llhttp, Nodejs and 1 more | 4 Debian Linux, Llhttp, Node.js and 1 more | 2025-04-24 | N/A | 6.5 MEDIUM |
| The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. | |||||
| CVE-2024-33452 | 2025-04-23 | N/A | 7.7 HIGH | ||
| An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. | |||||
| CVE-2024-29643 | 2025-04-22 | N/A | 9.1 CRITICAL | ||
| An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. | |||||
| CVE-2015-5740 | 3 Fedoraproject, Golang, Redhat | 6 Fedora, Go, Enterprise Linux Server and 3 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers. | |||||
| CVE-2017-15643 | 1 Ikarussecurity | 1 Ikarus Antivirus | 2025-04-20 | 7.6 HIGH | 7.4 HIGH |
| An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files. The attacker first forces the client to initiate an update transaction by modifying an update field within an HTTP 200 response, so that it refers to a nonexistent update. The attacker then modifies the HTTP 404 response so that it specifies a successfully found update, with a Trojan horse executable file (e.g., guardxup.exe) and the correct CRC32 checksum for that file. | |||||
| CVE-2015-5739 | 3 Fedoraproject, Golang, Redhat | 6 Fedora, Go, Enterprise Linux Server and 3 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." | |||||