Cyber Resilience

CVE-2022-29361

Critical

Published: 25 May 2022

Published
25 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3111 96.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29361 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Palletsprojects Werkzeug. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-29361 is an HTTP request smuggling vulnerability affecting Pallets Werkzeug versions 2.1.0 and earlier. It stems from improper parsing of HTTP requests that permits multiple requests to be embedded inside a single request body, classified under CWE-444. The issue carries a CVSS 3.1 score of 9.8 and can be triggered when Werkzeug is used in certain configurations with an external HTTP server.

An unauthenticated remote attacker can exploit the flaw by sending a specially crafted HTTP request containing additional requests in the body. Successful exploitation allows the attacker to smuggle requests past front-end proxies or security controls, potentially leading to unauthorized access, cache poisoning, or other impacts on backend applications.

The referenced GitHub commit and issue indicate that a fix was applied to address the parsing behavior. The vendor states that the vulnerability manifests only in unsupported configurations that combine development mode with an external HTTP server outside the Werkzeug project.

EPSS for the CVE sits at 0.3111 with no material rise from its initial value, indicating moderate but stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only…

more

occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

palletsprojects
werkzeug
≤ 2.1.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References