Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) — Vulnerability Class 165

165 vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)). AI Chinese analysis included.

CWE-444 represents a critical architectural weakness where an intermediary HTTP agent, such as a proxy or firewall, fails to interpret malformed requests consistently with the ultimate destination server. This discrepancy allows attackers to exploit the ambiguity by crafting specially designed HTTP messages that are parsed differently by the front-end and back-end systems. Consequently, an attacker can smuggle malicious requests past security controls, potentially bypassing access restrictions, injecting unauthorized commands, or performing cache poisoning attacks. To mitigate this vulnerability, developers must ensure strict alignment in HTTP parsing logic across all network components. This involves configuring proxies and servers to use identical parsing standards, validating request boundaries rigorously, and employing modern frameworks that explicitly handle ambiguous headers. Regular security testing and automated fuzzing further help identify inconsistencies before deployment, ensuring that all entities in the data flow interpret messages uniformly.

MITRE CWE Description
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL. The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it. This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.
Common Consequences (1)
Integrity, Non-Repudiation, Access ControlUnexpected State, Hide Activities, Bypass Protection Mechanism
An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall prote…
Mitigations (4)
ImplementationUse a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
ImplementationUse only SSL communication.
ImplementationTerminate the client session after each request.
System ConfigurationTurn all pages to non-cacheable.
Examples (2)
In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.
POST http://www.website.com/foobar.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 Content-Length: 54 GET /poison.html HTTP/1.1 Host: www.website.com Bla: GET http://www.website.com/page_to_poison.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive
Attack
GET /poison.html HTTP/1.1 Host: www.website.com Bla:
Result
In the following example, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system.
POST /page.asp HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Length: 49223 zzz...zzz ["z" x 49152] POST /page.asp HTTP/1.0 Connection: Keep-Alive Content-Length: 30 POST /page.asp HTTP/1.0 Bla: POST /page.asp?cmd.exe HTTP/1.0 Connection: Keep-Alive
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2025-30346 Varnish Cache和Varnish Enterprise 安全漏洞 — Varnish Cache 5.4 Medium2025-03-21
CVE-2024-10264 HTTP Request Smuggling in netease-youdao/qanything — netease-youdao/qanything 9.8 -2025-03-20
CVE-2024-6827 HTTP Request Smuggling in benoitc/gunicorn — benoitc/gunicorn 9.8 -2025-03-20
CVE-2025-29904 JetBrains Ktor 环境问题漏洞 — Ktor 5.3 Medium2025-03-12
CVE-2025-1867 HTTP Response Smuggling Vulnerability in libhv — libhv 6.5 -2025-03-03
CVE-2025-0752 Envoyproxy: openshift service mesh envoy http header sanitization bypass leading to dos and unauthorized access 7.1 High2025-01-28
CVE-2024-12397 Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling 7.4 High2024-12-12
CVE-2024-53008 HAProxy 安全漏洞 — HAProxy 2.6 5.3AIMediumAI2024-11-28
CVE-2024-9666 Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability 4.7 Medium2024-11-25
CVE-2024-52304 aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions — aiohttp 7.5 -2024-11-18
CVE-2023-4639 Undertow: cookie smuggling/spoofing — Migration Toolkit for Runtimes 1 on RHEL 8 7.4 High2024-11-17
CVE-2024-8912 HTTP Request Smuggling in Looker — Looker 8.2AIHighAI2024-10-11
CVE-2024-9622 Resteasy-netty4-cdi: resteasy-netty4: resteasy-reactor-netty: http request smuggling leading to client timeouts in resteasy-netty4 5.3 Medium2024-10-08
CVE-2024-42342 Loway - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') — QueueMetrics 4.3 Medium2024-09-08
CVE-2024-41671 twisted.web has disordered HTTP pipeline response — twisted 8.3 High2024-07-29
CVE-2023-38522 Apache Traffic Server: Incomplete field name check allows request smuggling — Apache Traffic Server 5.3 -2024-07-26
CVE-2024-35161 Apache Traffic Server: Incomplete check for chunked trailer section allows request smuggling — Apache Traffic Server 5.3 -2024-07-26
CVE-2016-15039 mhuertos phpLDAPadmin ajax_functions.js makeHttpRequest request smuggling — phpLDAPadmin 6.3 Medium2024-07-11
CVE-2024-22279 GoRouter Denial of Service Attack — Routing Release 5.9 Medium2024-06-10
CVE-2024-23316 PingAccess HTTP Request Desynchronization Weakness — PingAccess 7.5 -2024-05-31
CVE-2024-34350 Next.js Vulnerable to HTTP Request Smuggling — next.js 7.5 High2024-05-09
CVE-2024-32638 Apache APISIX: Forward-Auth Request Smuggling — Apache APISIX 9.1 -2024-05-02
CVE-2024-1135 HTTP Request Smuggling in benoitc/gunicorn — benoitc/gunicorn 8.2 -2024-04-16
CVE-2024-27922 HTTP Handling Vulnerability in the Bare server — bare-server-node 9.8 Critical2024-03-06
CVE-2024-23452 Apache bRPC: HTTP request smuggling vulnerability — Apache bRPC 8.2 -2024-02-08
CVE-2024-23829 aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators — aiohttp 6.5 Medium2024-01-29
CVE-2023-51701 @fastify-reply-from JSON Content-Type parsing confusion — fastify-reply-from 5.3 Medium2024-01-08
CVE-2024-21647 HTTP Request/Response Smuggling in puma — puma 5.9 Medium2024-01-08
CVE-2023-49584 Client-Side Desynchronization vulnerability in SAP Fiori Launchpad — SAP Fiori Launchpad 4.3 Medium2023-12-12
CVE-2023-46589 Apache Tomcat: HTTP request smuggling via malformed trailer headers — Apache Tomcat 7.5 -2023-11-28

Vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) represent 165 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.