{"id":"CVE-2022-29361","details":"Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project","aliases":["PYSEC-2022-203"],"modified":"2026-04-10T04:47:12.933177Z","published":"2022-05-25T01:15:07.277Z","related":["openSUSE-SU-2024:13098-1"],"references":[{"type":"REPORT","url":"https://github.com/pallets/werkzeug/issues/2420"},{"type":"FIX","url":"https://github.com/pallets/werkzeug/commit/9a3a981d70d2e9ec3344b5192f86fcaf3210cd85"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pallets/werkzeug","events":[{"introduced":"0"},{"last_affected":"294de758b6edc0dbbd68c3292729ef3fa0fab657"},{"fixed":"9a3a981d70d2e9ec3344b5192f86fcaf3210cd85"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.0"}]}}],"versions":["0.1","0.10","0.11","0.12","0.13","0.14","0.15.0","0.2","0.3","0.4","0.4.1","0.6","0.6.1","0.6.2","0.7","0.8","0.9","1.0.0","1.0.0rc1","2.0.0","2.0.0rc1","2.0.0rc2","2.0.0rc3","2.0.0rc4","2.0.0rc5","2.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29361.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}