cbcvebase.
CVE-2022-29361
published 2022-05-25

CVE-2022-29361: Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with…

PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.66%
93.8th percentile
Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project

Affected

3 ranges
VendorProductVersion rangeFixed in
palletsprojectswerkzeug<= 2.1.0
palletsprojectswerkzeug>= 0 < 9a3a981d70d2e9ec3344b5192f86fcaf3210cd859a3a981d70d2e9ec3344b5192f86fcaf3210cd85
palletsprojectswerkzeug>= 0 < 2.1.12.1.1

Detection & IOCsextracted from sources · hover to see the quote

versionWerkzeug==2.1.0
commandGET http://google.com HTTP/1.1
  • HTTP Request Smuggling via crafted request with multiple requests inside the body targeting Werkzeug v2.1.0 and below running in debug mode
  • Client-Side Desync attack on Werkzeug: payload sent in the request body is interpreted as the next request by the server, enabling control of arbitrary bytes of the subsequent request
  • Werkzeug debug mode exposes /debug console endpoint; combined with path traversal to read /proc/self/cgroup, /etc/passwd, and MAC address files, an attacker can reconstruct the Werkzeug PIN
  • ·Vendor states the HTTP Request Smuggling behavior only occurs in unsupported configurations: Werkzeug running in debug mode with an HTTP server from outside the Werkzeug project
  • ·Red Hat Product Security does not consider this to be a vulnerability and marks all their packages as Not affected

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.