Http

CVE-2025-23167 describes a request smuggling vulnerability in Node.js 20's HTTP parser due to improper header termination, allowing attackers to bypass proxy access controls.

Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener are vulnerable to a decompression bomb denial-of-service attack because the maxAllocation parameter is not enforced when Content-Encoding is set to br (Brotli), zstd, or snappy, allowing attackers to bypass decompression limits and cause unbounded memory allocation.

The `rmcp` crate before v1.4.0 is vulnerable to DNS rebinding attacks via the Streamable HTTP server transport due to missing Host header validation, potentially allowing arbitrary code execution on a victim's machine if they visit a malicious website.

Multiple vulnerabilities in Apache HTTP Server versions prior to 2.4.67 can allow remote attackers to execute arbitrary code, escalate privileges, or cause a denial of service.

A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.

Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks by terminating chunk header parsing at \r\n inside quoted strings instead of rejecting the malformed request.

The Netty HttpClientCodec is vulnerable to response desynchronization when configured with HTTP/1.1 pipelining, HEAD requests, and the server sends 1xx responses, leading to a response body from one request being parsed as another and potentially unsafe socket reuse.