Twisted@16.3.0 vulnerabilities

An asynchronous networking framework written in Python

Direct Vulnerabilities

Known vulnerabilities in the Twisted package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') when sending multiple HTTP requests in one TCP packet, the twisted.web function processes the requests asynchronously without guaranteeing the response order. An attacker can manipulate the response of the second request by delaying the response to the first request when a victim launches two requests using the HTTP pipeline.

How to fix Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')?

Upgrade Twisted to version 23.10.0rc1 or higher.

[,23.10.0rc1)
  • M
HTTP Header Injection

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection via the NameVirtualHost function. When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.

How to fix HTTP Header Injection?

Upgrade Twisted to version 22.10.0rc1 or higher.

[,22.10.0rc1)
  • M
HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to missing checks when requests with modified headers are sent. An attacker could exploit this vulnerability by using the following request smuggling techniques:

  1. Sending Requests with multiple Content-Length headers
  2. Sending Requests with a Content-Length header and a Transfer-Encoding header
  3. Sending Requests whose Transfer-Encoding header has a value other than chunked and identity

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)
  • M
HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the twisted.web.http module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 22.4.0rc1 or higher.

[,22.4.0rc1)
  • M
Information Exposure

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in twisted.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent which can cause cookies and authorization headers exposure when following cross-origin redirects.

How to fix Information Exposure?

Upgrade Twisted to version 22.1.0 or higher.

[11.1.0,22.1.0)
  • M
HTTP Header Injection

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection. twisted.web.client.Request and twisted.web.client.HTTPClient are both vulnerable to header injection attacks due to not properly sanitising linear whitespace ('\r', '\n', and '\r\n').

How to fix HTTP Header Injection?

Upgrade Twisted to version 19.2.0 or higher.

[,19.2.0)
  • H
HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)
  • H
HTTP Request Splitting

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Splitting. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

How to fix HTTP Request Splitting?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)
  • H
Man-in-the-Middle (MitM)

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) via the words.protocols.jabber.xmlstream. The XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

How to fix Man-in-the-Middle (MitM)?

Upgrade Twisted to version 19.7.0 or higher.

[,19.7.0)
  • H
Improper Input Validation

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Improper Input Validation due to the package not validating or sanitizing URIs or HTTP methods, this allows an attacker to inject invalid characters such as CRLF.

How to fix Improper Input Validation?

Upgrade Twisted to version 19.2.1 or higher.

[,19.2.1)
  • M
Open Redirect

twisted is an asynchronous networking framework written in Python.

Affected versions of this package are is vulnerable to Open HTTP Redirects. It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

[2.1.0,16.3.2]