Sam Shahsavar

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 8.5.0 through 8.5.82 Apache Tomcat versions 9.0.0-M1 through 9.0.67 Apache Tomcat versions 10.0.0-M1 through 10.0.26 Apache Tomcat versions 10.1.0-M1 through 10.1.0 **Description** The issue is related to the implementation of the rejectIllegalHeader attribute in Apache Tomcat, which can lead to HTTP request smuggling attacks when the server is configured to ignore invalid HTTP headers and is located behind a reverse proxy that also fails to reject such requests. This can allow a remote attacker to send hidden HTTP requests. The `rejectIllegalHeader` setting, when set to `false`, allows Tomcat to process requests with invalid `Content-Length` headers, making the attack possible. **Recommendations** For Apache Tomcat versions 8.5.0 through 8.5.82, update the configuration to set `rejectIllegalHeader` to `true` or upgrade to a version where this is the default. For Apache Tomcat versions 9.0.0-M1 through 9.0.67, ensure that `rejectIllegalHeader` is set to `true` and consider upgrading to a newer version. For Apache Tomcat versions 10.0.0-M1 through 10.0.26, set `rejectIllegalHeader` to `true` and consider upgrading. For Apache Tomcat versions 10.1.0-M1 through 10.1.0, set `rejectIllegalHeader` to `true` and consider upgrading to a version where this vulnerability is fixed. As a temporary workaround, consider restricting access to the server or disabling the processing of requests with invalid `Content-Length` headers until a patch is available.