CVEFinder.io

CVE-2022-24801

⚠ī¸ high
🔍 Scan for this CVE
Summary

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pa

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

CVSS Score
8.1
High
EPSS Score
1.2
Exploit Probability
Published Date
2022-04-04
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 77.5% of all 328,009 vulnerabilities in our database.

#73,816
Top 25% most severe
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Apr 23, 2025
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2024-11-25
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-444

đŸ“Ļ Affected Products 5

Vendor Product Status Affected Versions
debian debian_linux Affected
v9.0
fedoraproject fedora Affected
v35
fedoraproject fedora Affected
v36
oracle zfs_storage_appliance_kit Affected
v8.8
twisted twisted Affected
< 22.4.0

🔗 References 7

https://github.com/twisted/twisted/commit/592217e951...
Patch Third Party Advisory
https://github.com/twisted/twisted/releases/tag/twis...
Release Notes Third Party Advisory
https://github.com/twisted/twisted/security/advisori...
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05...
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/packag...
https://lists.fedoraproject.org/archives/list/packag...
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-49975 ⚠ī¸ high 7.5 1.3 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service vi... 2026-06-08
CVE-2026-42304 ⚠ī¸ high 7.5 0.0 Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.n... 2026-05-13
CVE-2026-31431 ⚠ī¸ high 7.8 2.2 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla... 2026-04-22
CVE-2026-35093 ⚠ī¸ high 8.8 0.0 A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or ... 2026-04-01
CVE-2026-35094 ℹī¸ low 3.3 0.0 A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can expl... 2026-04-01
CVE-2026-4775 ⚠ī¸ high 7.8 0.3 A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the ... 2026-03-24
These CVEs affect the same products