CVE-2022-29361

Name of the Vulnerable Software and Affected Versions Pallets Werkzeug versions 2.1.0 and below

Description The issue is related to improper parsing of HTTP requests, which can allow an attacker to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. This can occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project. The vendor's position is that this behavior is only possible under specific conditions.

Recommendations For versions 2.1.0 and below, consider disabling development mode and using an HTTP server within the Werkzeug project to minimize the risk of exploitation. Restrict access to the HTTP request parsing functionality until a patch is available. Avoid using crafted HTTP requests with multiple requests included inside the body in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.