CVE-2022-24801

Name: CVE-2022-24801
Creator: NVD / NIST
Published: 2022-04-04T18:15:07.933+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.1/10EPSS 2.80%

Last modified Jun 17, 2026

CVE-2022-24801 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. EPSS estimates a 2.80% chance of exploitation in the next 30 days.

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.80%

84.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Twisted	Twisted	< 22.4.0
Debian	Debian Linux	9.0
Fedoraproject	Fedora	35
Fedoraproject	Fedora	36
Oracle	Zfs Storage Appliance Kit	8.8

References

https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043acPatch, Third Party Advisory
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1Release Notes, Third Party Advisory
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqqThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00003.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043acPatch, Third Party Advisory
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1Release Notes, Third Party Advisory
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqqThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00003.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory

Timeline

Published: Apr 4, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-24801?

How severe is CVE-2022-24801?

CVE-2022-24801 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 2.80% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24801?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-24801?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST