Login Sign Up

CVE-2022-29361

9.8 CRITICAL

📋 TL;DR

CVE-2022-29361 is an HTTP request smuggling vulnerability in Pallets Werkzeug v2.1.0 and below that allows attackers to bypass security controls by sending crafted HTTP requests containing multiple requests in the body. This affects applications using Werkzeug's development server in unsupported configurations. The vendor notes this only occurs in development mode with external HTTP servers.

💻 Affected Systems

Products:
  • Pallets Werkzeug
Versions: v2.1.0 and below
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable in development mode with external HTTP servers (not Werkzeug's built-in server). Production configurations with supported servers are not affected.

📦 What is this software?

Werkzeug by Palletsprojects

View all CVEs affecting Werkzeug →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication, access control, or perform cache poisoning attacks leading to data theft or system compromise.

🟠

Likely Case

HTTP request smuggling allowing attackers to manipulate request processing and potentially bypass security filters.

🟢

If Mitigated

Limited impact if proper production configurations are used with supported HTTP servers.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires specific unsupported configurations but is straightforward when conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.1.1 and above

Vendor Advisory: https://github.com/pallets/werkzeug/security/advisories/GHSA-2p5j-mcrf-ffh8

Restart Required: Yes

Instructions:

1. Update Werkzeug to v2.1.1 or later using pip: pip install --upgrade werkzeug 2. Restart the application server 3. Verify the update with: python -c "import werkzeug; print(werkzeug.__version__)"

🔧 Temporary Workarounds

Disable development mode

all

Ensure Werkzeug is running in production mode with supported HTTP servers only.

export FLASK_ENV=production
export FLASK_DEBUG=0

Use Werkzeug's built-in development server

all

Avoid using external HTTP servers with Werkzeug in development mode.

🧯 If You Can't Patch

  • Ensure Werkzeug is only used in production configurations with supported HTTP servers (not development mode with external servers).
  • Implement network-level controls like WAFs to detect and block HTTP request smuggling attempts.

🔍 How to Verify

Check if Vulnerable:

Check if Werkzeug version is 2.1.0 or below and running in development mode with external HTTP server.

Check Version:

python -c "import werkzeug; print(werkzeug.__version__)"

Verify Fix Applied:

Verify Werkzeug version is 2.1.1 or above and development mode is disabled or using built-in server.

📡 Detection & Monitoring

Log Indicators:

  • Multiple HTTP requests in single log entries
  • Unusual request parsing errors
  • Malformed HTTP headers in logs

Network Indicators:

  • HTTP requests with unusual body structures
  • Requests containing multiple HTTP methods in body

SIEM Query:

source="*werkzeug*" AND ("malformed request" OR "request smuggling" OR "invalid http")

📊 Metadata

CVE ID: CVE-2022-29361
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-444
Published: May 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29361, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)