CVE-2025-41082
HTTP Request Desynchronization Vulnerability in Altitude Server
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| altitude | communication_server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
No solution or mitigation steps have been reported yet for this vulnerability. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to hide malicious requests, poison caches, or bypass security controls. This can lead to unauthorized access, data manipulation, or other security breaches within the affected system. [1]
Can you explain this vulnerability to me?
This vulnerability occurs in the Altitude Communication Server due to improper handling of multiple HTTP requests sent over a single Keep-Alive connection using Content-Length headers. The server inconsistently analyzes these requests, causing a desynchronization between frontend and backend servers. This desynchronization can lead to issues such as request hiding, cache poisoning, or security bypass. [1]