CVE-2022-29361

CRITICAL

Werkzeug < 2.1.0 - HTTP Request Smuggling via Crafted Request Body

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-29361. PoCs published by kevin-mizu, l3ragio.

AI-analyzed exploit summary This PoC demonstrates CVE-2022-29361, a client-side desync vulnerability in Werkzeug that can lead to XSS. It includes a vulnerable Flask app and an exploit server that triggers the vulnerability via a crafted form submission.

Description

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project

Exploits (2)

nomisec WORKING POC 5 stars

by kevin-mizu · poc

https://github.com/kevin-mizu/Werkzeug-CVE-2022-29361-PoC

View Code ZIP pw:eip

This PoC demonstrates CVE-2022-29361, a client-side desync vulnerability in Werkzeug that can lead to XSS. It includes a vulnerable Flask app and an exploit server that triggers the vulnerability via a crafted form submission.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Werkzeug (Flask dependency)

No auth needed

Prerequisites: Victim must visit the exploit server · Vulnerable Werkzeug version must be in use

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by l3ragio · poc

https://github.com/l3ragio/CVE-2022-29361_Werkzeug_Client-Side-Desync-to-XSS

View Code ZIP pw:eip

This PoC demonstrates a client-side desynchronization attack (CVE-2022-29361) against Werkzeug, leading to XSS. It uses a rogue server to exploit a vulnerable Flask server by manipulating HTTP request smuggling techniques.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Werkzeug (Flask applications)

No auth needed

Prerequisites: Vulnerable Werkzeug version · Victim interaction (clicking a button or visiting a malicious page)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/pallets/werkzeug/commit/9a3a981d70d2e9ec3344b5192f86fcaf3210cd85

View Patch ZIP pw:eip

Issue Tracking, Third Party Advisory x_refsource_misc

https://github.com/pallets/werkzeug/issues/2420

Scores

CVSS v3 9.8

EPSS 0.0766

EPSS Percentile 93.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-444

Status published

Products (1)

palletsprojects/werkzeug < 2.1.0

Published May 25, 2022

Tracked Since Feb 18, 2026