Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) — Vulnerability Class 165

165 vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)). AI Chinese analysis included.

CWE-444 represents a critical architectural weakness where an intermediary HTTP agent, such as a proxy or firewall, fails to interpret malformed requests consistently with the ultimate destination server. This discrepancy allows attackers to exploit the ambiguity by crafting specially designed HTTP messages that are parsed differently by the front-end and back-end systems. Consequently, an attacker can smuggle malicious requests past security controls, potentially bypassing access restrictions, injecting unauthorized commands, or performing cache poisoning attacks. To mitigate this vulnerability, developers must ensure strict alignment in HTTP parsing logic across all network components. This involves configuring proxies and servers to use identical parsing standards, validating request boundaries rigorously, and employing modern frameworks that explicitly handle ambiguous headers. Regular security testing and automated fuzzing further help identify inconsistencies before deployment, ensuring that all entities in the data flow interpret messages uniformly.

MITRE CWE Description
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL. The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it. This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.
Common Consequences (1)
Integrity, Non-Repudiation, Access ControlUnexpected State, Hide Activities, Bypass Protection Mechanism
An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall prote…
Mitigations (4)
ImplementationUse a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
ImplementationUse only SSL communication.
ImplementationTerminate the client session after each request.
System ConfigurationTurn all pages to non-cacheable.
Examples (2)
In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.
POST http://www.website.com/foobar.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 Content-Length: 54 GET /poison.html HTTP/1.1 Host: www.website.com Bla: GET http://www.website.com/page_to_poison.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive
Attack
GET /poison.html HTTP/1.1 Host: www.website.com Bla:
Result
In the following example, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system.
POST /page.asp HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Length: 49223 zzz...zzz ["z" x 49152] POST /page.asp HTTP/1.0 Connection: Keep-Alive Content-Length: 30 POST /page.asp HTTP/1.0 Bla: POST /page.asp?cmd.exe HTTP/1.0 Connection: Keep-Alive
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-40562 Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence — Gazelle 7.5AIHighAI2026-05-06
CVE-2026-40561 Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence — Starlet 7.5 -2026-05-03
CVE-2026-39805 CL.CL HTTP request smuggling via duplicate Content-Length in bandit — bandit 9.1 -2026-05-01
CVE-2026-40560 Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence — Starman 7.5AIHighAI2026-04-28
CVE-2026-41873 Pony Mail: Admin account takeover via request smuggling — Pony Mail 9.8AICriticalAI2026-04-28
CVE-2026-2708 Libsoup: libsoup: http request smuggling via duplicate content-length headers — Red Hat Enterprise Linux 10 3.7 Low2026-04-23
CVE-2025-31958 HCL BigFix Service Management (SM) is susceptible to HTTP Request Smuggling — BigFix Service Management (SM) 3.7 Low2026-04-21
CVE-2026-2332 HTTP Request Smuggling via Chunked Extension Quoted-String Parsing — Eclipse Jetty 7.4 High2026-04-14
CVE-2026-24880 Apache Tomcat: Request smuggling via invalid chunk extension — Apache Tomcat 9.1AICriticalAI2026-04-09
CVE-2026-31842 Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling — Tinyproxy 7.5 High2026-04-07
CVE-2025-65114 Apache Traffic Server: Malformed chunked message body allows request smuggling — Apache Traffic Server 7.5AIHighAI2026-04-02
CVE-2026-1491 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access — Verify Identity Access Container 5.3 Medium2026-04-01
CVE-2026-2862 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access — Verify Identity Access Container 5.3 Medium2026-04-01
CVE-2026-34441 cpp-httplib: HTTP Request Smuggling via Unconsumed GET Request Body — cpp-httplib 4.8 Medium2026-03-31
CVE-2026-33870 Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing — netty 7.5 High2026-03-27
CVE-2026-28369 Undertow: undertow: request smuggling via malformed http request headers — Red Hat build of Apache Camel for Spring Boot 4 8.7 High2026-03-27
CVE-2026-28367 Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator — Red Hat build of Apache Camel for Spring Boot 4 8.7 High2026-03-27
CVE-2026-28368 Undertow: undertow: request smuggling via inconsistent header parsing — Red Hat build of Apache Camel for Spring Boot 4 8.7 High2026-03-27
CVE-2026-4742 HTTP Request Smuggling in visualfc/liteide — liteide 6.5 -2026-03-24
CVE-2026-29057 Next.js: HTTP request smuggling in rewrites — next.js 9.1 -2026-03-18
CVE-2026-23941 Request smuggling via first-wins Content-Length parsing in inets httpd — OTP 8.2 -2026-03-13
CVE-2026-1525 undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') — undici 6.5 Medium2026-03-12
CVE-2026-32239 Cap'n Proto has an integer overflow in KJ-HTTP — capnproto 7.5AIHighAI2026-03-12
CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing — https://github.com/cloudflare/pingora 7.5AIHighAI2026-03-04
CVE-2026-2833 HTTP Request Smuggling via Premature Upgrade — https://github.com/cloudflare/pingora 7.5AIHighAI2026-03-04
CVE-2026-20069 Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 4.3 Medium2026-03-04
CVE-2026-26365 Akamai Ghost 环境问题漏洞 — Ghost 4.0 Medium2026-02-23
CVE-2025-12811 Cloud Suite and Privilege Access Service– HTTP request smuggling vulnerability — Cloud Suite and Privileged Access Service 8.2AIHighAI2026-02-18
CVE-2025-55018 Fortinet FortiOS 环境问题漏洞 — FortiOS 5.2 Medium2026-02-10
CVE-2026-1801 Libsoup: libsoup: http request smuggling via malformed chunk headers — Red Hat Enterprise Linux 10 5.3 Medium2026-02-03

Vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) represent 165 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.