CVE-2024-41671

CVSS v3.1

8.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Twisted versions prior to 24.7.0rc1

Description The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This issue is related to the incorrect handling of HTTP requests. Exploitation of this issue may allow a remote attacker to disclose protected information. For instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

Recommendations As a temporary workaround, consider disabling the twisted.web module until a patch is available. For versions prior to 24.7.0rc1, update to version 24.7.0rc1 or later to resolve the issue.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

AZL-47101

AZL-47151

BDU:2024-06573

CVE-2024-41671

DLA-3970-1

DSA-5797-1

GHSA-C8M8-J448-XJX7

MGASA-2025-0054

OESA-2024-1983

OESA-2024-1984

OESA-2024-1985

OESA-2024-1986

OESA-2024-2052

OPENSUSE-SU-2024:14228-1

OPENSUSE-SU-2024:14236-1

SUSE-SU-2024:2732-1

SUSE-SU-2024:2757-1

SUSE-SU-2024:2860-1

SUSE-SU-2024:2880-1

SUSE-SU-2024_2732-1

SUSE-SU-2024_2757-1

SUSE-SU-2024_2860-1

SUSE-SU-2024_2880-1

USN-6988-1

USN-6988-2

Affected Products

Astra Linux

Linuxmint

Red Os

Suse

Twisted

Ubuntu

CVE-2024-41671

Weakness Enumeration

Related Identifiers

Affected Products

References · 63