Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) — Vulnerability Class 165

165 vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)). AI Chinese analysis included.

CWE-444 represents a critical architectural weakness where an intermediary HTTP agent, such as a proxy or firewall, fails to interpret malformed requests consistently with the ultimate destination server. This discrepancy allows attackers to exploit the ambiguity by crafting specially designed HTTP messages that are parsed differently by the front-end and back-end systems. Consequently, an attacker can smuggle malicious requests past security controls, potentially bypassing access restrictions, injecting unauthorized commands, or performing cache poisoning attacks. To mitigate this vulnerability, developers must ensure strict alignment in HTTP parsing logic across all network components. This involves configuring proxies and servers to use identical parsing standards, validating request boundaries rigorously, and employing modern frameworks that explicitly handle ambiguous headers. Regular security testing and automated fuzzing further help identify inconsistencies before deployment, ensuring that all entities in the data flow interpret messages uniformly.

MITRE CWE Description
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL. The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it. This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.
Common Consequences (1)
Integrity, Non-Repudiation, Access ControlUnexpected State, Hide Activities, Bypass Protection Mechanism
An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall prote…
Mitigations (4)
ImplementationUse a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
ImplementationUse only SSL communication.
ImplementationTerminate the client session after each request.
System ConfigurationTurn all pages to non-cacheable.
Examples (2)
In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.
POST http://www.website.com/foobar.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 Content-Length: 54 GET /poison.html HTTP/1.1 Host: www.website.com Bla: GET http://www.website.com/page_to_poison.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive
Attack
GET /poison.html HTTP/1.1 Host: www.website.com Bla:
Result
In the following example, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system.
POST /page.asp HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Length: 49223 zzz...zzz ["z" x 49152] POST /page.asp HTTP/1.0 Connection: Keep-Alive Content-Length: 30 POST /page.asp HTTP/1.0 Bla: POST /page.asp?cmd.exe HTTP/1.0 Connection: Keep-Alive
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2023-46121 Generic Extractor MITM Vulnerability in yt-dlp — yt-dlp 5.0 Medium2023-11-14
CVE-2023-47627 Request smuggling in aiohttp — aiohttp 5.3 Medium2023-11-14
CVE-2023-47641 Inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` in aiohttp — aiohttp 3.4 Low2023-11-14
CVE-2023-46846 Squid: request/response smuggling in http/1.1 and icap 9.3 Critical2023-11-03
CVE-2023-46137 twisted.web has disordered HTTP pipeline response — twisted 5.3 Medium2023-10-25
CVE-2023-30910 Hewlett Packard Enterprise MSA Controller 环境问题漏洞 — HPE MSA Controller 5.4 Medium2023-10-09
CVE-2023-40175 Inconsistent Interpretation of HTTP Requests in puma — puma 7.3 High2023-08-18
CVE-2023-33934 Apache Traffic Server: Differential fuzzing for HTTP request parsing discrepancies — Apache Traffic Server 8.2 -2023-08-09
CVE-2023-38697 protocol-http1 HTTP Request/Response Smuggling vulnerability — protocol-http1 5.8 Medium2023-08-04
CVE-2023-37276 aiohttp vulnerable to HTTP request smuggling — aiohttp 5.3 Medium2023-07-19
CVE-2023-33987 Request smuggling and request concatenation in SAP Web Dispatcher — SAP Web Dispatcher 8.6 High2023-07-11
CVE-2023-33193 Emby Server Proxy Header Spoofing Vulnerability — security 9.1 Critical2023-05-30
CVE-2023-27522 Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting — Apache HTTP Server 5.3 -2023-03-07
CVE-2023-25690 Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy — Apache HTTP Server 6.5 -2023-03-07
CVE-2023-23691 Dell MEC PV ME5 环境问题漏洞 — Dell PowerVault ME5 8.1 High2023-01-20
CVE-2022-36760 Apache HTTP Server: mod_proxy_ajp Possible request smuggling — Apache HTTP Server 3.7 -2023-01-17
CVE-2022-35256 Node.js 环境问题漏洞 — Node 6.5 -2022-12-05
CVE-2022-38114 Client-Side Desync Vulnerability — SolarWinds SEM 6.1 Medium2022-11-23
CVE-2022-42252 Apache Tomcat request smuggling via malformed content-length — Apache Tomcat 8.2 -2022-11-01
CVE-2022-21826 Pulse Secure Pulse Connect Secure 环境问题漏洞 — Pulse Connect Secure VPN Server 5.4 -2022-09-30
CVE-2022-2466 Quarkus 环境问题漏洞 — quarkus 9.1 -2022-08-31
CVE-2022-20713 Cisco Adaptive Security Appliances Software 跨站脚本漏洞 — Cisco Adaptive Security Appliance (ASA) Software 4.3 Medium2022-08-10
CVE-2022-25763 Improper input validation on HTTP/2 headers — Apache Traffic Server 7.5 -2022-08-10
CVE-2022-32213 Node.js 环境问题漏洞 — Node 6.5 -2022-07-14
CVE-2022-32214 IBM Answer Retrieval for Watson Discovery On Prem 环境问题漏洞 — Node 6.5 -2022-07-14
CVE-2022-32215 Node.js 环境问题漏洞 — Node 6.5 -2022-07-14
CVE-2022-31081 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in HTTP::Daemon — HTTP-Daemon 7.3 High2022-06-27
CVE-2022-26377 mod_proxy_ajp: Possible request smuggling — Apache HTTP Server 3.7 -2022-06-08
CVE-2022-0552 Netty 环境问题漏洞 — origin-aggregated-logging/elasticsearch--2022-04-11
CVE-2022-24801 HTTP Request Smuggling in twisted.web — twisted 8.1 High2022-04-04

Vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) represent 165 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.