Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

Affected versions of Twisted, an event-driven network framework, are susceptible to HTTP Request Smuggling. This vulnerability arises from inadequate validation of modified request headers, enabling an attacker to smuggle requests through several techniques: employing multiple Content-Length headers, combining a Content-Length header with a Transfer-Encoding header, or utilizing a Transfer-Encoding header with values other than 'chunked' or 'identity'. This flaw compromises the framework's ability to securely process HTTP requests.

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection.
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Twisted 22.1 includes a fix for CVE-2022-21712: In affected versions, twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the 'twisted.web.RedirectAgent' and 'twisted.web.BrowserLikeRedirectAgent' functions. There are no known workarounds.

Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. 
#NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0.
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy.
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq