CVE-2022-29361
Published: 25 May 2022
Summary
CVE-2022-29361 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Palletsprojects Werkzeug. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-29361 is an HTTP request smuggling vulnerability affecting Pallets Werkzeug versions 2.1.0 and earlier. It stems from improper parsing of HTTP requests that permits multiple requests to be embedded inside a single request body, classified under CWE-444. The issue carries a CVSS 3.1 score of 9.8 and can be triggered when Werkzeug is used in certain configurations with an external HTTP server.
An unauthenticated remote attacker can exploit the flaw by sending a specially crafted HTTP request containing additional requests in the body. Successful exploitation allows the attacker to smuggle requests past front-end proxies or security controls, potentially leading to unauthorized access, cache poisoning, or other impacts on backend applications.
The referenced GitHub commit and issue indicate that a fix was applied to address the parsing behavior. The vendor states that the vulnerability manifests only in unsupported configurations that combine development mode with an external HTTP server outside the Werkzeug project.
EPSS for the CVE sits at 0.3111 with no material rise from its initial value, indicating moderate but stable exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0363
Vulnerability details
Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only…
more
occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.