CVE-2022-24801

HIGH

Twisted < 22.4.0 - HTTP Request Smuggling via Non-Conformant HTTP Request Parsing

Title source: llm
STIX 2.1

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

References (7)

Core 7
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 8.1
EPSS 0.0271
EPSS Percentile 84.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-444
Status published
Products (6)
debian/debian_linux 9.0
fedoraproject/fedora 35
fedoraproject/fedora 36
oracle/zfs_storage_appliance_kit 8.8
pypi/Twisted 0 - 22.4.0PyPI
twisted/twisted < 22.4.0
Published Apr 04, 2022
Tracked Since Feb 18, 2026