GHSA-c2jg-hw38-jrqq
HIGHInconsistent Interpretation of HTTP Requests in twisted.web
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
twistedReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230:
- The Content-Length header value could have a
+or-prefix. - Illegal characters were permitted in chunked extensions, such as the LF (
\n) character. - Chunk lengths, which are expressed in hexadecimal format, could have a prefix of
0x. - HTTP headers were stripped of all leading and trailing ASCII whitespace, rather than only space and HTAB (
\t).
This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
Impact
You may be affected if:
- You use Twisted Web's HTTP 1.1 server and/or proxy
- You also pass requests through a different HTTP server and/or proxy
The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.
The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected.
Patches
The issue has been addressed in Twisted 22.4.0rc1 and later.
Workarounds
Other than upgrading Twisted, you could:
- Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them
- Filter malformed requests by other means, such as configuration of an upstream proxy
Credits
This issue was initially reported by Zhang Zeyu.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | twisted | all versions | 22.4.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for twisted. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update twisted to 22.4.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-c2jg-hw38-jrqq is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-c2jg-hw38-jrqq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-c2jg-hw38-jrqq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-c2jg-hw38-jrqq in your dependencies?
O3 detects GHSA-c2jg-hw38-jrqq across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.