Vinyl/Varnish -- HTTP/2 parsing deficiency

Vinyl Development Team reports: A deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack request smuggling, which in turn can be used for cache poisoning, authentication bypass or possibly even information disclosure and manipulation...

EulerOS 2.0 SP12 : httpd (EulerOS-SA-2025-2041)

According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacke...

AZL-65097 CVE-2025-49812 affecting package httpd for versions less than 2.4.64-1

In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommend...

CVE-2022-39163

CVE-2022-39163 (IBM Cognos Controller) affects IBM Cognos Controller 11.0.0–11.1.0 and IBM Controller 11.1.0, due to a Client-Side Desync (CSD) attack that could desynchronize a browser connection and enable cross-site scripting (XSS). The documented impact is limited to potential XSS via a desyn...

SA45476 - Client Side Desync Attack (Informational)

Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Portswigger has provided a responsible disclosure of a vulnerability that affects the Pulse Collaboration feature. Their write up can be found here:...

HTTP/2 Request Smuggling

HTTP Request Smuggling also known as an HTTP Desync Attack has experienced a resurgence in security research recently, thanks in large part to the outstanding work by security researcher James Kettle. His 2019 Blackhat presentation on HTTP Desync attacks exposed vulnerabilities with different...

DEBIAN-CVE-2021-21299

hyper is an open-source HTTP library for Rust crates.io. In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple...

CVE-2021-21299

CVE-2021-21299 affects the Rust HTTP library hyper. The vulnerability resides in hyper’s HTTP server code, which may misinterpret requests with multiple Transfer-Encoding headers, potentially treating the payload as chunked when it should be illegal. Exploitation requires three conditions to be m...

CVE-2020-8201

Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...

UBUNTU-CVE-2020-8201

Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...

CVE-2020-8201

Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...