Kenballus

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to the llhttp v9 upgrade node-undici in Debian Linux (affected versions not specified) Description: A flaw in the HTTP parser of Node.js allows improper termination of HTTP/1 headers using `r rX` instead of the required `r r `. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. Recommendations: For Node.js versions prior to the llhttp v9 upgrade, upgrade llhttp to version 9 to enforce correct header termination. For node-undici in Debian Linux, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Twisted versions prior to 24.7.0rc1 **Description** The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This issue is related to the incorrect handling of HTTP requests. Exploitation of this issue may allow a remote attacker to disclose protected information. For instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server. **Recommendations** As a temporary workaround, consider disabling the `twisted.web` module until a patch is available. For versions prior to 24.7.0rc1, update to version 24.7.0rc1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** aiohttp versions prior to 3.8.6 **Description** The HTTP parser in aiohttp has numerous problems with header parsing, which could lead to request smuggling. This issue is related to the handling of `Content-Length` values, improper handling of NUL, CR, and LF in header values, and improper stripping of whitespace before colon in HTTP headers. The parser is only used when `AIOHTTP NO EXTENSIONS` is enabled. **Recommendations** For versions prior to 3.8.6, upgrade to version 3.8.6 or later to address the issue. As a temporary workaround, consider disabling the use of `AIOHTTP NO EXTENSIONS` to prevent the vulnerable parser from being used. Reject all messages with NUL, CR, or LF in a header value and reject all messages with whitespace before a colon in a header field. Verify that a `Content-Length` value consists only of ASCII digits before parsing.

**Name of the Vulnerable Software and Affected Versions** Puma versions prior to 6.3.1 Puma versions prior to 5.6.7 **Description** The issue is related to incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers, allowing HTTP request smuggling. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. The severity of this issue is highly dependent on the nature of the web site using Puma. **Recommendations** For versions prior to 6.3.1, upgrade to version 6.3.1 or later. For versions prior to 5.6.7, upgrade to version 5.6.7 or later. As a temporary workaround, consider restricting access to vulnerable API endpoints until a patch is available. Avoid using blank or zero-length Content-Length headers in HTTP requests until the issue is resolved.