CVE-2026-39805

Name of the Vulnerable Software and Affected Versions bandit versions prior to 1.11.0

Description Inconsistent interpretation of HTTP requests allows HTTP request smuggling via duplicate Content-Length headers. The function get content length() in Elixir.Bandit.Headers uses List.keyfind/3, which only returns the first matching header. If a request contains two Content-Length headers with different values, the system accepts it, uses the first value to read the body, and treats the remaining bytes as a second pipelined request on the same keep-alive connection. This behavior contradicts RFC 9112 §6.3, which requires such cases to be treated as unrecoverable framing errors. When positioned behind a proxy that selects the last Content-Length value, an unauthenticated attacker can smuggle requests to bypass edge WAF rules, path-based ACLs, rate limiting, and audit logging.

Recommendations Update to version 1.11.0 or later.