Skip to content

Instantly share code, notes, and snippets.

@anas-cherni
Last active January 20, 2024 11:23
Show Gist options
  • Save anas-cherni/c95e2fc1fd84d93167eb60193318d0b8 to your computer and use it in GitHub Desktop.
Save anas-cherni/c95e2fc1fd84d93167eb60193318d0b8 to your computer and use it in GitHub Desktop.
CVE-2023-50694- http request smuggling in HTTPbeast v.0.4.1 and before
> [Suggested description]
> An issue in dom96 HTTPbeast v.0.4.1 and before allows a remote attacker
> to send a malicious crafted request due to insufficient parsing in the parser.nim
> component.
>
>
> [VulnerabilityType Other]
> HTTP Request Smuggling
>
> ------------------------------------------
>
> [Vendor of Product]
> dom96 (open source maintainer)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> httpbeast - all versions <= 0.4.1 are affected
>
> ------------------------------------------
>
> [Affected Component]
> /src/httpbeast/parser.nim
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> This vulnerability can be chained with XSS and cache poisoning
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit this vulnerability, and attacker could craft malicious requests to trick the system, posing security risks like unauthorized access, information disclosure, and bypassing security controls.
>
> ------------------------------------------
>
> [Reference]
> https://github.com/dom96/httpbeast/pull/96
> https://github.com/dom96/httpbeast/issues/95
>
> ------------------------------------------
>
> [Discoverer]
> Anas Cherni (n0s)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment