What is CVE-2023-46137?

CVE-2023-46137 is a medium-severity vulnerability in Twisted, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 5.3/10. Published 2023-10-25.

How severe is CVE-2023-46137?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Is CVE-2023-46137 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Twisted

CVE-2023-46137

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.007 (73.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Twisted — versions 23.10.0rc1

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

Public proof-of-concept exploits

References

https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2023-46137?: CVE-2023-46137 is a medium-severity vulnerability in Twisted, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 5.3/10. Published 2023-10-25.
How severe is CVE-2023-46137?: Medium severity. CVSS v3 base score is 5.3 out of 10.
Is CVE-2023-46137 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.