CVE-2022-29361 Overview
CVE-2022-29361 is an HTTP Request Smuggling vulnerability affecting Pallets Werkzeug v2.1.0 and below. The vulnerability stems from improper parsing of HTTP requests, which allows attackers to craft malicious HTTP requests containing multiple requests embedded within the body. This parsing inconsistency can enable attackers to bypass security controls, poison web caches, and hijack user sessions.
It's important to note that the vendor has stated this behavior can only occur in unsupported configurations involving development mode and an HTTP server external to the Werkzeug project. However, misconfigurations in production environments or use of Werkzeug's development server in inappropriate contexts could still expose applications to this attack.
Critical Impact
This HTTP Request Smuggling vulnerability could allow attackers to bypass security controls, perform cache poisoning attacks, hijack user sessions, or gain unauthorized access to sensitive resources through crafted HTTP requests.
Affected Products
- Pallets Werkzeug versions 2.1.0 and below
- Applications using Werkzeug's development server with external HTTP servers
- Flask applications running in development mode with proxy configurations
Discovery Timeline
- 2022-05-25 - CVE-2022-29361 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29361
Vulnerability Analysis
HTTP Request Smuggling vulnerabilities arise when front-end and back-end servers interpret HTTP request boundaries differently. In the case of Werkzeug, improper parsing of HTTP requests allows attackers to embed secondary requests within the body of a primary request. When a front-end proxy forwards this malformed request to Werkzeug, the parsing discrepancy causes the embedded request to be processed as a separate, legitimate request.
This vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), which describes scenarios where HTTP request handling varies between system components, creating security gaps that attackers can exploit.
Root Cause
The root cause lies in Werkzeug's HTTP request parsing logic, which did not properly validate and sanitize request boundaries. When processing HTTP requests, the parser failed to correctly handle edge cases where additional request data was included within the request body. This allowed attackers to craft requests that would be interpreted differently by upstream proxies versus the Werkzeug server itself.
The vulnerability specifically manifests in configurations where Werkzeug's development server is used behind a proxy or load balancer that uses different logic to determine where one request ends and another begins.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker crafts a specially formed HTTP request containing:
- A legitimate outer request with headers that manipulate Content-Length or Transfer-Encoding
- A smuggled inner request embedded within the body
- Carefully calculated lengths and delimiters to cause parsing confusion
When the front-end server forwards this to Werkzeug, the smuggled request gets processed independently, potentially with elevated privileges or different routing than intended.
The vulnerability is exploitable through network access with no special privileges or user interaction required. The exploitation technique involves crafting HTTP requests with conflicting Content-Length and Transfer-Encoding headers, or using other request smuggling variants like CL.CL or TE.TE desynchronization. For detailed technical analysis, refer to the GitHub Issue Discussion where the vulnerability mechanics are documented.
Detection Methods for CVE-2022-29361
Indicators of Compromise
- Unusual HTTP requests with mismatched Content-Length and Transfer-Encoding headers in web server logs
- Requests containing multiple HTTP method keywords within a single request body
- Cache entries with unexpected or unauthorized content
- Session anomalies where users experience unexplained authentication states
Detection Strategies
- Implement deep packet inspection for HTTP traffic to identify requests with smuggling characteristics
- Configure WAF rules to detect and block requests with ambiguous length specifiers
- Monitor for requests containing embedded HTTP method keywords (GET, POST, PUT, DELETE) within request bodies
- Enable verbose logging on proxy servers to capture full request/response pairs for forensic analysis
Monitoring Recommendations
- Deploy network monitoring to detect anomalous HTTP request patterns indicative of smuggling attempts
- Review web server logs for requests with unusually large bodies or malformed headers
- Set up alerts for cache poisoning indicators such as unexpected cache hit ratios or content mismatches
- Monitor application behavior for unauthorized access patterns that could indicate successful request smuggling
How to Mitigate CVE-2022-29361
Immediate Actions Required
- Upgrade Werkzeug to a version newer than 2.1.0 where the parsing behavior has been addressed
- Avoid using Werkzeug's development server in production environments or behind reverse proxies
- Configure front-end proxies to normalize HTTP requests before forwarding to backend servers
- Implement strict HTTP parsing rules on all edge devices and load balancers
Patch Information
The Pallets project has addressed this issue in a security commit. Organizations should update to the latest Werkzeug version that includes this fix. Review your Python dependencies and update via pip:
pip install --upgrade werkzeug
Verify your installed version is newer than 2.1.0 by checking:
pip show werkzeug
Workarounds
- Do not use Werkzeug's development server (werkzeug.serving) in production; use production-grade WSGI servers like Gunicorn or uWSGI instead
- Configure reverse proxies and load balancers to reject requests with ambiguous Content-Length or Transfer-Encoding headers
- Enable HTTP/2 where possible, as the framing mechanism prevents traditional request smuggling attacks
- Implement WAF rules to detect and block requests exhibiting smuggling patterns
# Example Nginx configuration to normalize requests and reject ambiguous headers
# Add to your server block configuration
# Reject requests with duplicate Content-Length headers
if ($http_content_length ~ ",") {
return 400;
}
# Use HTTP/1.1 for upstream connections with explicit settings
proxy_http_version 1.1;
proxy_set_header Connection "";
# Normalize transfer encoding
proxy_request_buffering on;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
