CWE•Base•Incomplete•20 recent CVEs
CWE-444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Description
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
[object Object]
Common consequences
- Integrity,Non-Repudiation,Access Control→Unexpected State,Hide Activities,Bypass Protection MechanismAn attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2
Potential mitigations
- ImplementationUse a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
- ImplementationUse only SSL communication.
- ImplementationTerminate the client session after each request.
- System ConfigurationTurn all pages to non-cacheable.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-418535.32026-06-09CVE-2026-445463.72026-06-03CVE-2026-500522026-06-03CVE-2026-497532026-06-02CVE-2026-453729.92026-05-29CVE-2026-63244.82026-05-29CVE-2026-476765.32026-05-28CVE-2026-487106.52026-05-26CVE-2026-86207.52026-05-26CVE-2026-425856.52026-05-13CVE-2026-425847.32026-05-13CVE-2026-425815.82026-05-13CVE-2026-425806.52026-05-13CVE-2026-414175.32026-05-06CVE-2026-405627.52026-05-06CVE-2026-405615.32026-05-03CVE-2026-398052026-05-01CVE-2026-405607.52026-04-29CVE-2026-418739.82026-04-28CVE-2026-27083.72026-04-23