Request smuggling is possible when both chunked TE and content length specified

2020-01-2719:28:40

Google

osv.dev

0.001 Low

EPSS

Percentile

31.0%

JSON

Impact

Request smuggling is possible when running behind a proxy that doesn’t handle Content-Length and Transfer-Encoding properly or doesn’t handle alone \n as a headers separator.

Patches

https://github.com/ktorio/ktor/pull/1547

Workarounds

None except migrating to a better proxy.

References

https://portswigger.net/web-security/request-smuggling
https://tools.ietf.org/html/rfc7230#section-9.5

CPENameOperatorVersion
io.ktor:ktor-client-cioeq1.1.1
io.ktor:ktor-client-cioeq1.3.0-rc2
io.ktor:ktor-server-cioeq1.2.3-rc
io.ktor:ktor-server-cioeq1.2.0
io.ktor:ktor-server-cioeq1.2.4
io.ktor:ktor-client-cioeq1.1.2
io.ktor:ktor-client-cioeq1.2.0-rc
io.ktor:ktor-server-cioeq1.2.5
io.ktor:ktor-server-cioeq1.0.1
io.ktor:ktor-server-cioeq1.1.3

Name	Operator	Version
io.ktor:ktor-client-cio	eq	1.1.1
io.ktor:ktor-client-cio	eq	1.3.0-rc2
io.ktor:ktor-server-cio	eq	1.2.3-rc
io.ktor:ktor-server-cio	eq	1.2.0
io.ktor:ktor-server-cio	eq	1.2.4
io.ktor:ktor-client-cio	eq	1.1.2
io.ktor:ktor-client-cio	eq	1.2.0-rc
io.ktor:ktor-server-cio	eq	1.2.5
io.ktor:ktor-server-cio	eq	1.0.1
io.ktor:ktor-server-cio	eq	1.1.3