CVE-2022-24801 – This vulnerability in Twisted's HTTP 1.1 server... (How to Fix)

Q: What is the severity of CVE-2022-24801?

CVE-2022-24801 has a CVSS score of 8.1 (HIGH). This vulnerability in Twisted's HTTP 1.1 server allows HTTP request smuggling due to non-RFC-compliant parsing of HTTP requests. Attackers can exploit this to bypass security controls, poison caches, or hijack user sessions when requests pass through multiple HTTP parsers. Only users of Twisted Web's HTTP 1.1 server/proxy who also pass requests through other HTTP servers/proxies are affected.

📋 TL;DR

This vulnerability in Twisted's HTTP 1.1 server allows HTTP request smuggling due to non-RFC-compliant parsing of HTTP requests. Attackers can exploit this to bypass security controls, poison caches, or hijack user sessions when requests pass through multiple HTTP parsers. Only users of Twisted Web's HTTP 1.1 server/proxy who also pass requests through other HTTP servers/proxies are affected.

💻 Affected Systems

Products:

Twisted Web HTTP 1.1 Server

Versions: All versions prior to 22.4.0rc1

Operating Systems: All platforms running Python 3.6+

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects HTTP 1.1 server in twisted.web.http module. HTTP 2.0 server and Twisted Web client are not affected. Requires requests to pass through multiple HTTP parsers (e.g., frontend proxy + Twisted).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers smuggle malicious HTTP requests past security controls, leading to cache poisoning, session hijacking, credential theft, or web cache deception attacks against downstream users.

🟠

Likely Case

HTTP request smuggling enabling cache poisoning or bypassing security filters in multi-proxy environments, potentially allowing unauthorized access to protected resources.

🟢

If Mitigated

Limited to protocol anomalies that get rejected by properly configured upstream proxies or when using unaffected components like HTTP 2.0 server.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific HTTP request crafting and multi-parser environment. HTTP request smuggling techniques are well-documented and tools exist for similar vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.4.0rc1 and later

Vendor Advisory: https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Restart Required: Yes

Instructions:

1. Upgrade Twisted to version 22.4.0rc1 or later using pip: 'pip install --upgrade twisted>=22.4.0rc1' 2. Restart all Twisted Web HTTP 1.1 server instances 3. Verify the upgrade with 'python -c "import twisted; print(twisted.__version__)"'

🔧 Temporary Workarounds

Upgrade Upstream Proxies

all

Ensure all upstream HTTP proxies are patched against similar vulnerabilities to prevent request smuggling attempts

Filter Malformed Requests

all

Configure upstream proxies to reject non-RFC-compliant HTTP requests before they reach Twisted servers

🧯 If You Can't Patch

Deploy a WAF or reverse proxy configured to strictly validate HTTP requests against RFC 7230
Migrate affected services to Twisted's HTTP 2.0 server which uses a different, unaffected parser

🔍 How to Verify

Check if Vulnerable:

Check Twisted version: 'python -c "import twisted; print(twisted.__version__)"'. If version is below 22.4.0rc1 and using HTTP 1.1 server, system is vulnerable.

Check Version:

python -c "import twisted; print(twisted.__version__)"

Verify Fix Applied:

Verify version is 22.4.0rc1 or higher and test with HTTP request smuggling test tools against your deployment.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP request parsing errors
Requests with malformed headers or transfer encodings
Mismatched request/response sequences in logs

Network Indicators:

HTTP requests with non-RFC-compliant header formatting
Duplicate Host headers
Chunked encoding anomalies

SIEM Query:

source="*twisted*" AND ("HTTP/1.1" OR "transfer-encoding" OR "content-length") AND (error OR malformed OR invalid)

📊 Metadata

CVE ID: CVE-2022-24801

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-444

Published: April 4, 2022

Last Updated: November 25, 2024

🔗 References

https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac Patch,Third Party Advisory
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1 Release Notes,Third Party Advisory
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac Patch,Third Party Advisory
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1 Release Notes,Third Party Advisory
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24801, you might also want to check these: