{"api_version":"1","generated_at":"2026-04-22T19:28:09+00:00","cve":"CVE-2022-24801","urls":{"html":"https://cve.report/CVE-2022-24801","api":"https://cve.report/api/cve/CVE-2022-24801.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24801","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24801"},"summary":{"title":"CVE-2022-24801","description":"Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-04-04 18:15:00","updated_at":"2023-11-07 03:44:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/","name":"FEDORA-2022-9a489fa494","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: python-twisted-22.4.0-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1","name":"https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1","refsource":"MISC","tags":[],"title":"Release Release 22.4.0rc1 · twisted/twisted · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/","name":"FEDORA-2022-9a489fa494","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: python-twisted-22.4.0-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq","name":"https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq","refsource":"CONFIRM","tags":[],"title":"Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in twisted.web · Advisory · twisted/twisted · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/","name":"FEDORA-2022-71b66d4747","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: python-twisted-22.4.0-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html","name":"[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2991-1] twisted security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac","name":"https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-c2jg-hw38-jrqq · twisted/twisted@592217e · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/","name":"FEDORA-2022-71b66d4747","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: python-twisted-22.4.0-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24801","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24801","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24801","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24801","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24801","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24801","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"zfs_storage_appliance_kit","cpe6":"8.8","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24801","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"twistedmatrix","cpe5":"twisted","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24801","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"twistedmatrix","cpe5":"twisted","cpe6":"22.4.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-24801","qid":"159882","title":"Oracle Enterprise Linux Security Update for python-twisted-web (ELSA-2022-4930)"},{"cve":"CVE-2022-24801","qid":"179260","title":"Debian Security Update for twisted (DLA 2991-1)"},{"cve":"CVE-2022-24801","qid":"180825","title":"Debian Security Update for twisted (CVE-2022-24801)"},{"cve":"CVE-2022-24801","qid":"198909","title":"Ubuntu Security Notification for Twisted Vulnerability (USN-5576-1)"},{"cve":"CVE-2022-24801","qid":"240244","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:1645)"},{"cve":"CVE-2022-24801","qid":"240246","title":"Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:1646)"},{"cve":"CVE-2022-24801","qid":"240416","title":"Red Hat Update for python-twisted-web (RHSA-2022:4930)"},{"cve":"CVE-2022-24801","qid":"257180","title":"CentOS Security Update for python-twisted-web Security Update (CESA-2022:4930)"},{"cve":"CVE-2022-24801","qid":"282889","title":"Fedora Security Update for python (FEDORA-2022-9a489fa494)"},{"cve":"CVE-2022-24801","qid":"282890","title":"Fedora Security Update for python (FEDORA-2022-71b66d4747)"},{"cve":"CVE-2022-24801","qid":"353997","title":"Amazon Linux Security Advisory for python-twisted-web : ALAS2-2022-1827"},{"cve":"CVE-2022-24801","qid":"354290","title":"Amazon Linux Security Advisory for python-twisted : ALAS2022-2022-231"},{"cve":"CVE-2022-24801","qid":"354583","title":"Amazon Linux Security Advisory for python-twisted : ALAS-2022-231"},{"cve":"CVE-2022-24801","qid":"354859","title":"Amazon Linux Security Advisory for python-twisted-web : ALAS-2023-1717"},{"cve":"CVE-2022-24801","qid":"355072","title":"Amazon Linux Security Advisory for python-twisted-web : AL2012-2023-396"},{"cve":"CVE-2022-24801","qid":"355118","title":"Amazon Linux Security Advisory for python-twisted : ALAS2023-2023-056"},{"cve":"CVE-2022-24801","qid":"377008","title":"Alibaba Cloud Linux Security Update for python-twisted-web (ALINUX2-SA-2022:0025)"},{"cve":"CVE-2022-24801","qid":"502925","title":"Alpine Linux Security Update for py3-twisted"},{"cve":"CVE-2022-24801","qid":"505804","title":"Alpine Linux Security Update for py3-twisted"},{"cve":"CVE-2022-24801","qid":"753275","title":"SUSE Enterprise Linux Security Update for python-Twisted (SUSE-SU-2022:1477-1)"},{"cve":"CVE-2022-24801","qid":"900791","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-twisted (9339)"},{"cve":"CVE-2022-24801","qid":"901405","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-twisted (9340)"},{"cve":"CVE-2022-24801","qid":"902223","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-twisted (9339-1)"},{"cve":"CVE-2022-24801","qid":"904492","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-twisted (9340-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24801","STATE":"PUBLIC","TITLE":"HTTP Request Smuggling in twisted.web"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"twisted","version":{"version_data":[{"version_value":"<= 22.2.0"}]}}]},"vendor_name":"twisted"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}]},"references":{"reference_data":[{"name":"https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq","refsource":"CONFIRM","url":"https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"},{"name":"https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac","refsource":"MISC","url":"https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"},{"name":"https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1","refsource":"MISC","url":"https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"},{"refsource":"FEDORA","name":"FEDORA-2022-71b66d4747","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"},{"refsource":"FEDORA","name":"FEDORA-2022-9a489fa494","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"source":{"advisory":"GHSA-c2jg-hw38-jrqq","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-04-04 18:15:00","lastModifiedDate":"2023-11-07 03:44:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*","versionEndExcluding":"22.4.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24801","Ordinal":"228234","Title":"CVE-2022-24801","CVE":"CVE-2022-24801","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24801","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}