CVE-2022-42252 Overview
CVE-2022-42252 is an HTTP Request Smuggling vulnerability affecting Apache Tomcat, a widely used open-source Java servlet container. The vulnerability exists when Tomcat is configured to ignore invalid HTTP headers by setting rejectIllegalHeader to false (which is the default configuration for Tomcat 8.5.x). Under these conditions, Tomcat fails to properly reject requests containing invalid Content-Length headers, potentially enabling request smuggling attacks when Tomcat is deployed behind a reverse proxy that also fails to reject such malformed requests.
Critical Impact
Successful exploitation allows attackers to bypass security controls, poison web caches, or hijack other users' requests by smuggling malicious HTTP requests through reverse proxies to Apache Tomcat backends.
Affected Products
- Apache Tomcat 8.5.0 to 8.5.82
- Apache Tomcat 9.0.0-M1 to 9.0.67
- Apache Tomcat 10.0.0-M1 to 10.0.26
- Apache Tomcat 10.1.0-M1 to 10.1.0
Discovery Timeline
- 2022-11-01 - CVE-2022-42252 published to NVD
- 2025-05-06 - Last updated in NVD database
Technical Details for CVE-2022-42252
Vulnerability Analysis
This vulnerability falls under CWE-444 (Inconsistent Interpretation of HTTP Requests), commonly known as HTTP Request Smuggling. The flaw exists in Apache Tomcat's HTTP header parsing logic when configured with rejectIllegalHeader set to false.
When Tomcat receives an HTTP request with an invalid Content-Length header, it should reject the request outright. However, with the vulnerable configuration, Tomcat processes the request despite the malformed header. This becomes particularly dangerous in architectures where Tomcat sits behind a reverse proxy (such as Apache HTTP Server, nginx, or a load balancer).
The attack scenario requires both the reverse proxy and Tomcat to handle the invalid header inconsistently. If the reverse proxy forwards the request without proper validation, and Tomcat interprets the Content-Length differently, an attacker can craft requests that are interpreted as multiple separate requests—one by the proxy and another by Tomcat—enabling request smuggling.
Root Cause
The root cause is insufficient validation of HTTP headers when the rejectIllegalHeader configuration option is set to false. In Apache Tomcat 8.5.x, this permissive setting is the default, making these installations particularly vulnerable out-of-the-box. The header parsing code fails to properly sanitize and validate Content-Length values when this option is disabled, allowing malformed values to pass through the HTTP parsing layer.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability remotely by sending specially crafted HTTP requests with malformed Content-Length headers to a target application fronted by a reverse proxy. The attack chain works as follows:
- Attacker sends a malformed HTTP request with an invalid Content-Length header
- The reverse proxy forwards the request without proper validation
- Tomcat and the proxy interpret the request boundaries differently
- The attacker's "smuggled" request is processed as a legitimate request from another user or session
- This can lead to cache poisoning, session hijacking, or security control bypass
The vulnerability does not require special privileges and can be exploited over the network, making it a significant concern for internet-facing Tomcat deployments. For detailed technical information, refer to the Apache Security Advisory.
Detection Methods for CVE-2022-42252
Indicators of Compromise
- HTTP requests with malformed or unusual Content-Length headers in access logs
- Multiple requests appearing to originate from the same connection with inconsistent session data
- Unusual cache behavior or cache poisoning indicators in reverse proxy logs
- Requests with duplicate or conflicting Content-Length and Transfer-Encoding headers
Detection Strategies
- Monitor HTTP access logs for requests containing invalid Content-Length header values or unusual character patterns
- Implement deep packet inspection at the network level to detect HTTP request smuggling attempts
- Configure reverse proxies to log and alert on rejected or suspicious HTTP requests
- Deploy web application firewalls (WAFs) with HTTP request smuggling detection signatures
- Audit Tomcat configurations to identify instances where rejectIllegalHeader is set to false
Monitoring Recommendations
- Enable verbose logging on both reverse proxy and Tomcat to capture complete request headers
- Implement correlation analysis between proxy and backend logs to detect request boundary discrepancies
- Set up alerts for anomalous patterns in HTTP request/response timing that may indicate smuggling attempts
- Regularly review and baseline normal traffic patterns to identify deviations
How to Mitigate CVE-2022-42252
Immediate Actions Required
- Upgrade Apache Tomcat to a patched version: 8.5.83+, 9.0.68+, 10.0.27+, or 10.1.1+
- Set rejectIllegalHeader to true in Tomcat's server.xml Connector configuration
- Ensure reverse proxies are configured to reject requests with invalid HTTP headers
- Audit current deployments to identify affected Tomcat versions and configurations
Patch Information
Apache has released security patches addressing this vulnerability in the following versions:
- Apache Tomcat 8.5.83 and later
- Apache Tomcat 9.0.68 and later
- Apache Tomcat 10.0.27 and later
- Apache Tomcat 10.1.1 and later
Administrators should upgrade to the latest available version in their respective branch. For additional details, see the Apache Mailing List Thread and Gentoo GLSA 202305-37.
Workarounds
- Set rejectIllegalHeader="true" in the Connector configuration within server.xml as a temporary mitigation
- Configure reverse proxies (nginx, Apache HTTP Server, HAProxy) to strictly validate and reject malformed HTTP headers
- Implement a WAF rule to block requests with invalid Content-Length header formats
- Consider network segmentation to limit exposure of vulnerable Tomcat instances
# Configuration example - Add rejectIllegalHeader to Tomcat Connector in server.xml
# Navigate to $CATALINA_HOME/conf/server.xml and modify the Connector element:
# For HTTP Connector:
# <Connector port="8080" protocol="HTTP/1.1"
# connectionTimeout="20000"
# redirectPort="8443"
# rejectIllegalHeader="true" />
# For AJP Connector:
# <Connector port="8009" protocol="AJP/1.3"
# redirectPort="8443"
# rejectIllegalHeader="true" />
# After modification, restart Tomcat:
sudo systemctl restart tomcat
# Or manually:
$CATALINA_HOME/bin/shutdown.sh && $CATALINA_HOME/bin/startup.sh
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
