CVE-2026-39805
HTTP Request Smuggling in Bandit
Publication date: 2026-05-01
Last updated on: 2026-05-05
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mtrudel | bandit | to 1.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Inconsistent Interpretation of HTTP Requests issue in the mtrudel bandit software, specifically related to how it handles duplicate Content-Length headers in HTTP requests.
The function 'Elixir.Bandit.Headers:get_content_length/1' uses a method that only considers the first Content-Length header when multiple are present. If two Content-Length headers with different values exist, Bandit accepts the request, uses the first value to read the body, and treats the remaining bytes as a second pipelined request on the same connection.
According to RFC 9112 Β§6.3, this situation should be treated as an unrecoverable framing error, but Bandit does not do this.
When Bandit is behind a proxy that picks the last Content-Length header and forwards the request instead of rejecting it, an unauthenticated attacker can exploit this to smuggle requests past security controls like edge WAF rules, path-based ACLs, rate limiting, and audit logging.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to bypass security mechanisms such as web application firewalls (WAF), access control lists (ACLs), rate limiting, and audit logging by smuggling HTTP requests.
As a result, attackers may be able to perform unauthorized actions, evade detection, and potentially exploit other vulnerabilities or access sensitive resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows HTTP request smuggling via duplicate Content-Length headers, which can enable an unauthenticated attacker to bypass edge WAF rules, path-based ACLs, rate limiting, and audit logging.
Such bypasses can undermine security controls that are often required for compliance with standards and regulations like GDPR and HIPAA, which mandate proper access controls, logging, and protection against unauthorized access.
Therefore, this vulnerability could negatively impact compliance by allowing attackers to evade security mechanisms designed to protect sensitive data and ensure proper monitoring.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting HTTP requests for the presence of duplicate Content-Length headers with differing values. An attacker may send requests containing two Content-Length headers where the first value is used by Bandit and the second value is used by a proxy, enabling request smuggling.
To detect such attempts on your network or system, you can capture and analyze HTTP traffic looking for requests with multiple Content-Length headers. For example, using command-line tools like tcpdump or tshark to capture traffic and grep or Wireshark to filter HTTP headers.
- Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443'
- Filter captured traffic for duplicate Content-Length headers using grep or similar tools.
- Use tshark to filter HTTP requests with multiple Content-Length headers: tshark -Y 'http.header contains "Content-Length"' -T fields -e http.header
- In Wireshark, apply a display filter to find HTTP requests with multiple Content-Length headers.
Additionally, monitoring logs for unusual or malformed HTTP requests, especially those with conflicting Content-Length headers, can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Bandit HTTP server library to version 1.11.0 or later, where the vulnerability is fixed by rejecting requests containing multiple Content-Length headers.
If upgrading immediately is not possible, you should configure any fronting proxies or WAFs to reject HTTP requests with duplicate Content-Length headers or ensure they do not forward requests with conflicting Content-Length values.
Additionally, review and harden your security controls such as WAF rules, ACLs, and rate limiting to detect and block suspicious requests that may attempt HTTP request smuggling.
Monitoring and logging should be enhanced to detect anomalies related to HTTP request framing errors.