CVE-2025-29904 – CVE-2025-29904 is an HTTP request smuggling vul... (How to Fix)

Q: What is the severity of CVE-2025-29904?

CVE-2025-29904 has a CVSS score of 5.3 (MEDIUM). CVE-2025-29904 is an HTTP request smuggling vulnerability in JetBrains Ktor framework versions before 3.1.1. This allows attackers to bypass security controls, poison caches, or hijack user sessions by manipulating HTTP request sequences. Organizations using vulnerable Ktor versions in web applications are affected.

📋 TL;DR

CVE-2025-29904 is an HTTP request smuggling vulnerability in JetBrains Ktor framework versions before 3.1.1. This allows attackers to bypass security controls, poison caches, or hijack user sessions by manipulating HTTP request sequences. Organizations using vulnerable Ktor versions in web applications are affected.

💻 Affected Systems

Products:

JetBrains Ktor

Versions: All versions before 3.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Ktor's HTTP server functionality. Applications using Ktor only as a client are not affected.

📦 What is this software?

Ktor by Jetbrains

View all CVEs affecting Ktor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication, hijack user sessions, poison web caches, or perform cross-site scripting attacks against other users.

🟠

Likely Case

Cache poisoning leading to stored XSS attacks or session hijacking through request smuggling techniques.

🟢

If Mitigated

Limited impact with proper WAF/load balancer configurations that normalize HTTP requests and strict input validation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

HTTP request smuggling typically requires understanding of HTTP protocol nuances and specific application configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.1

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Update Ktor dependency to version 3.1.1 or later in your build configuration. 2. Rebuild and redeploy your application. 3. Restart the application server.

🔧 Temporary Workarounds

Configure HTTP normalization

all

Configure reverse proxies or load balancers to normalize HTTP requests and prevent smuggling

Use strict HTTP parsing

all

Configure web servers to reject malformed HTTP requests with strict parsing rules

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with HTTP request smuggling protection rules
Use reverse proxies that normalize HTTP traffic and prevent request smuggling

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency configuration (build.gradle.kts, build.gradle, or pom.xml) for Ktor version below 3.1.1

Check Version:

Check build configuration files or run: ./gradlew dependencies | grep ktor (for Gradle) or mvn dependency:tree | grep ktor (for Maven)

Verify Fix Applied:

Verify Ktor version is 3.1.1 or higher in your dependency configuration after update

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP request patterns
Multiple requests from single connection with abnormal timing
Requests with conflicting Content-Length and Transfer-Encoding headers

Network Indicators:

HTTP requests with malformed headers
Requests that appear to contain multiple HTTP requests
Abnormal request/response timing patterns

SIEM Query:

http.request.headers contains "Transfer-Encoding" AND http.request.headers contains "Content-Length" AND NOT normalized by proxy

📊 Metadata

CVE ID: CVE-2025-29904

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-444

EPSS Score: 0% exploit probability (0.1th percentile)

Published: March 12, 2025

Last Updated: October 2, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29904, you might also want to check these: