537 matches found
actix-http has HTTP/1.1 CL.TE Request Smuggling
A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length...
HTTP Chunked Encoding Behavior Analyzer
This script is a security analysis tool designed to test how a web server such as Kestrel-based applications handles HTTP requests using chunked transfer encoding...
📄 ASP.net 8.0.10 Core Kestrel HTTP Request Smuggling
This Metasploit auxiliary module targets a critical HTTP request smuggling vulnerability in ASP.NET Core Kestrel caused by improper parsing of malformed chunked transfer encoding notably LF-only line handling and case-variant headers like chUnKEd...
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Description as reported Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: -...
GHSA-355H-QMC2-WPWF Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Description as reported Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: -...
CVE-2026-2332
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: https://w4ke.info/2025/06/18/funky-chunks.html https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing...
UBUNTU-CVE-2026-2332
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: https://w4ke.info/2025/06/18/funky-chunks.html https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing...
HTTP Request Smuggling
Overview org.eclipse.jetty:jetty-http is an is a http module for jetty server. Affected versions of this package are vulnerable to HTTP Request Smuggling in the HTTP/1.1 parser HttpParser.java. An attacker can inject additional HTTP requests with chunked transfer encoding with improperly terminat...
PT-2026-32618
Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 12.1.0 through 12.1.6 Eclipse Jetty versions 12.0.0 through 12.0.32 Eclipse Jetty versions 11.0.0 through 11.0.27 Eclipse Jetty versions 10.0.0 through 10.0.27 Eclipse Jetty versions 9.4.0 through 9.4.59 Description The...
Fedora 43 : trafficserver (2026-7b719a7a58)
The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-7b719a7a58 advisory. Resolves: CVE-2025-58136 - A simple legitimate POST request causes a crash CVE-2025-65114 - Malformed chunked message body allows request smuggling...
CVE-2026-31842
Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The ischunkedtransfer function uses strcmp to compare the header value against "chunked", even though RFC 7230 specifies that...
SUSE CVE-2026-33870
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...
EUVD-2026-17066
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service DoS. The issue occurs because chunk size values are parsed using strtol without properly validating...
CVE-2026-3945
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service DoS. The issue occurs because chunk size values are parsed using strtol without properly validating...
CVE-2026-3945
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service DoS. The issue occurs because chunk size values are parsed using strtol without properly validating...
CVE-2026-3945
Tinyproxy (up to 1.11.3) contains an integer overflow in the HTTP chunked transfer encoding parser. Chunk sizes are parsed with strtol() without proper overflow validation, allowing a crafted size (e.g., LONG_MAX) to bypass checks and overflow arithmetic (chunklen + 2). This can cause the proxy t...
Tinyproxy 安全漏洞
Tinyproxy is a small, efficient HTTP/SSL proxy daemon developed by Tinyproxy. Versions of Tinyproxy 1.11.3 and earlier contain security vulnerabilities, which stem from integer overflows in the HTTP chunked transmission encoding parser, potentially leading to denial-of-service attacks...
CVE-2026-33870
A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass...
DEBIAN-CVE-2026-33870
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...
CVE-2026-33870
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...