twisted 18.7.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the twisted package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Arbitrary Command Injection Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Arbitrary Command Injection via improper input sanitization in the file upload process. An attacker can execute arbitrary commands on the target system by sending a specially crafted HTTP PUT request to upload a malicious file and subsequently triggering its execution. This can result in remote code execution and potential privilege escalation depending on the web server's permissions. How to fix Arbitrary Command Injection? There is no fixed version for `Twisted`.	[0,)
M HTTP Response Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request. Information disclosure across sessions may also be possible for reverse proxy servers using pooled connections. How to fix HTTP Response Smuggling? Upgrade `Twisted` to version 24.7.0rc1 or higher.	[16.3.0,24.7.0rc1)
M Cross-site Scripting (XSS) Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the victim is using Firefox, due to an unescaped URL in the `redirectTo()` function. A site which is vulnerable to open redirects by other means can be can be made to execute scripts injected into a redirect URL. How to fix Cross-site Scripting (XSS)? Upgrade `Twisted` to version 24.7.0rc1 or higher.	[,24.7.0rc1)
M HTTP Response Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request. How to fix HTTP Response Smuggling? Upgrade `Twisted` to version 23.10.0rc1 or higher.	[16.3.0,23.10.0rc1)
M HTTP Header Injection Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Header Injection via the `NameVirtualHost` function. When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. How to fix HTTP Header Injection? Upgrade `Twisted` to version 22.10.0rc1 or higher.	[,22.10.0rc1)
M HTTP Request Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Smuggling due to missing checks when requests with modified headers are sent. An attacker could exploit this vulnerability by using the following request smuggling techniques: Sending Requests with multiple `Content-Length` headers Sending Requests with a `Content-Length` header and a `Transfer-Encoding` header Sending Requests whose `Transfer-Encoding` header has a value other than `chunked` and `identity` How to fix HTTP Request Smuggling? Upgrade `Twisted` to version 20.3.0 or higher.	[,20.3.0)
M HTTP Request Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Smuggling in the `twisted.web.http` module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy. How to fix HTTP Request Smuggling? Upgrade `Twisted` to version 22.4.0rc1 or higher.	[,22.4.0rc1)
M Information Exposure Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in `twisted.web.client.RedirectAgent` and `twisted.web.client.BrowserLikeRedirectAgent` which can cause cookies and authorization headers exposure when following cross-origin redirects. How to fix Information Exposure? Upgrade `Twisted` to version 22.1.0 or higher.	[11.1.0,22.1.0)
M HTTP Header Injection Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Header Injection. `twisted.web.client.Request` and `twisted.web.client.HTTPClient` are both vulnerable to header injection attacks due to not properly sanitising linear whitespace ('\r', '\n', and '\r\n'). How to fix HTTP Header Injection? Upgrade `Twisted` to version 19.2.0 or higher.	[,19.2.0)
H HTTP Request Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Smuggling. When presented with two `content-length` headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. How to fix HTTP Request Smuggling? Upgrade `Twisted` to version 20.3.0 or higher.	[,20.3.0)
H HTTP Request Splitting Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Splitting. When presented with a `content-length` and a chunked encoding header, the `content-length` took precedence and the remainder of the request body was interpreted as a pipelined request. How to fix HTTP Request Splitting? Upgrade `Twisted` to version 20.3.0 or higher.	[,20.3.0)
H Man-in-the-Middle (MitM) Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) via the `words.protocols.jabber.xmlstream`. The XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections. How to fix Man-in-the-Middle (MitM)? Upgrade `Twisted` to version 19.7.0 or higher.	[,19.7.0)
H Improper Input Validation Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Improper Input Validation due to the package not validating or sanitizing URIs or HTTP methods, this allows an attacker to inject invalid characters such as CRLF. How to fix Improper Input Validation? Upgrade `Twisted` to version 19.2.1 or higher.	[,19.2.1)

Vulnerability

Vulnerable Version

Arbitrary Command Injection

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Arbitrary Command Injection via improper input sanitization in the file upload process. An attacker can execute arbitrary commands on the target system by sending a specially crafted HTTP PUT request to upload a malicious file and subsequently triggering its execution. This can result in remote code execution and potential privilege escalation depending on the web server's permissions.

How to fix Arbitrary Command Injection?

There is no fixed version for Twisted.

[0,)

HTTP Response Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request. Information disclosure across sessions may also be possible for reverse proxy servers using pooled connections.

How to fix HTTP Response Smuggling?

Upgrade Twisted to version 24.7.0rc1 or higher.

[16.3.0,24.7.0rc1)

Cross-site Scripting (XSS)

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the victim is using Firefox, due to an unescaped URL in the redirectTo() function. A site which is vulnerable to open redirects by other means can be can be made to execute scripts injected into a redirect URL.

How to fix Cross-site Scripting (XSS)?

Upgrade Twisted to version 24.7.0rc1 or higher.

[,24.7.0rc1)

HTTP Response Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

How to fix HTTP Response Smuggling?

Upgrade Twisted to version 23.10.0rc1 or higher.

[16.3.0,23.10.0rc1)

HTTP Header Injection

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection via the NameVirtualHost function. When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.

How to fix HTTP Header Injection?

Upgrade Twisted to version 22.10.0rc1 or higher.

[,22.10.0rc1)

HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to missing checks when requests with modified headers are sent. An attacker could exploit this vulnerability by using the following request smuggling techniques:

Sending Requests with multiple Content-Length headers
Sending Requests with a Content-Length header and a Transfer-Encoding header
Sending Requests whose Transfer-Encoding header has a value other than chunked and identity

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)

HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the twisted.web.http module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 22.4.0rc1 or higher.

[,22.4.0rc1)

Information Exposure

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in twisted.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent which can cause cookies and authorization headers exposure when following cross-origin redirects.

How to fix Information Exposure?

Upgrade Twisted to version 22.1.0 or higher.

[11.1.0,22.1.0)

HTTP Header Injection

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection. twisted.web.client.Request and twisted.web.client.HTTPClient are both vulnerable to header injection attacks due to not properly sanitising linear whitespace ('\r', '\n', and '\r\n').

How to fix HTTP Header Injection?

Upgrade Twisted to version 19.2.0 or higher.

[,19.2.0)

HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)

HTTP Request Splitting

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Splitting. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

How to fix HTTP Request Splitting?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)

Man-in-the-Middle (MitM)

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) via the words.protocols.jabber.xmlstream. The XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

How to fix Man-in-the-Middle (MitM)?

Upgrade Twisted to version 19.7.0 or higher.

[,19.7.0)

Improper Input Validation

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Improper Input Validation due to the package not validating or sanitizing URIs or HTTP methods, this allows an attacker to inject invalid characters such as CRLF.

How to fix Improper Input Validation?

Upgrade Twisted to version 19.2.1 or higher.

[,19.2.1)

twisted@18.7.0 vulnerabilities

An asynchronous networking framework written in Python

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically