CVE-2020-7655: HTTP Request Smuggling in netius
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4692%
CWE
Published
6/18/2021
Updated
10/7/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
netius | pip | < 1.17.58 | 1.17.58 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper header validation in the HTTP parser. The patch adds a RFC 7230-compliant regex (HEADER_NAME_REGEX) to validate header names and modifies the validation sequence. The original code in _parse_headers only checked key.strip() == key and value.strip(b" ") == value.strip(), which failed to prevent non-compliant header names that could be exploited for request smuggling. The function's responsibility for header parsing and the direct security-focused changes in the patch confirm its vulnerability.