CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Parent: CWE-436 - Interpretation Conflict

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

334 vulnerabilities with CWE-444
CVE-2025-49826 HIGH
Next.js 15.0.4-15.1.8 - Denial of Service via HTTP 204 Response Cache Poisoning
CVSS 7.5
CVE-2025-49005 LOW
Next.js 15.3.0-15.3.3 and Vercel CLI 41.4.1-42.2.0 - Cache Poisoning via HTML/RSC Content Type Confusion
CVSS 3.7
CVE-2025-6442 MEDIUM
Ruby WEBrick < 1.8.2 - HTTP Request Smuggling via Header Terminator Parsing
CVSS 5.9
CVE-2025-41235 HIGH
Spring Cloud Gateway Server 4.2.0-4.2.2 - HTTP Request Smuggling via Forwarded Header Handling
CVSS 8.6
CVE-2025-4366 MEDIUM
Pingora < 0.5.0 - HTTP Request Smuggling via Cache HIT Request Body Manipulation
CVSS 6.1
CVE-2025-23167 MEDIUM
Node.js 20 < 20.19.1 - HTTP Request Smuggling via Improper Header Termination
CVSS 6.5
CVE-2025-4600 HIGH
Google Cloud Classic Application Load Balancer < 2025-04-26 - HTTP Request Smuggling via Chunked Encoding
CVSS 7.5
CVE-2025-47905 MEDIUM
Varnish Cache <7.6.3-7.7.1 & Varnish Enterprise <6.0.13r14 - Open R...
CVSS 5.4
CVE-2025-43859 CRITICAL
Pypi H11 < 0.16.0 - HTTP Request Smuggling
CVSS 9.1
CVE-2025-1386 MEDIUM
ClickHouse ch-go < 0.65.0 - HTTP Request Smuggling via Malicious External Data
CVSS 4.9
CVE-2025-31137 HIGH
React Router 7.0.0-7.4.0 and Remix 2.11.1-2.16.2 - HTTP Request Smuggling via Host Header
CVSS 7.5
CVE-2025-30346 MEDIUM
Varnish Cache <7.6.2 - Open Redirect
CVSS 5.4
CVE-2025-29904 MEDIUM
JetBrains Ktor < 3.1.1 - HTTP Request Smuggling
CVSS 5.3
CVE-2025-1867 CRITICAL
libhv <= 1.3.3 - HTTP Response Smuggling
CVE-2025-0752 HIGH
OpenShift Service Mesh <2.6.3, <2.5.6 - SSRF
CVSS 7.1
CVE-2024-56523 CRITICAL
Radware Cloud WAF <2025-05-07 - Auth Bypass
CVSS 9.1
CVE-2024-33452 HIGH
OpenResty lua-nginx-module < 0.10.26 - HTTP Request Smuggling via HEAD Request
CVSS 7.7
CVE-2024-29643 CRITICAL
croogo 3.0.2 - Host Header Injection via Feed RSS Component
CVSS 9.1
CVE-2024-53868 HIGH
Apache Traffic Server <9.2.10-10.0.5 - Request Smuggling
CVSS 7.5
CVE-2024-6827 HIGH
Gunicorn < 22.0.0 - HTTP Request Smuggling via Transfer-Encoding Header
CVSS 7.5
CVE-2024-10264 CRITICAL
netease-youdao/qanything <1.4.1 - RCE
CVSS 9.8
CVE-2024-56908 MEDIUM
Perfex CRM < 3.2.1 - Authenticated Arbitrary File Upload via upload_sales_file rel_id Parameter
CVSS 6.8
CVE-2024-12397 HIGH
Quarkus-HTTP < 5.3.4 - HTTP Request Smuggling via Cookie Parsing
CVSS 7.4
CVE-2024-53008 MEDIUM
HAProxy 2.6 < 2.6.18, 2.8 < 2.8.10, 2.9 < 2.9.9, 3.0 < 3.0.2 - HTTP Request Smuggling
CVSS 5.3
CVE-2024-9666 MEDIUM
Keycloak - Denial of Service via Proxy Header Handling
CVSS 4.7
Details
Vulnerabilities 334
Links
MITRE CWE Entry Search this CWE With Exploits