ktor is vulnerable to request smuggling. Lack of validation of the Content-Length
and Transfer-Encoding
headers allows a remote attacker to inject \n
characters as a header separator and smuggle request through the server.
CPE | Name | Operator | Version |
---|---|---|---|
ktor-http-cio | le | 1.2.6 | |
ktor-http-cio | le | 1.3.0-rc2 |