Apache Tomcat - HTTP Request Smuggling

CVE-2023-45648

Verified

Description

Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers.

Severity

Medium

CVSS Score

5.3

Exploit Probability

63%

Affected Product

tomcat

Published Date

January 29, 2026

Template Author

0x_akoko

CVE-2023-45648.yaml

id: CVE-2023-45648

info:
  name: Apache Tomcat - HTTP Request Smuggling
  author: 0x_Akoko
  severity: medium
  description: |
    Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers.
  impact: |
    Attackers can perform request smuggling, potentially leading to cache poisoning, session hijacking, or bypassing security controls.
  remediation: |
    Upgrade to version 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 or later.
  reference:
    - https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
    - https://hackerone.com/reports/2299692
    - https://nvd.nist.gov/vuln/detail/CVE-2023-45648
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-45648
    cwe-id: CWE-444
    epss-score: 0.62748
    epss-percentile: 0.984
  metadata:
    verified: false
    max-request: 1
    vendor: apache
    product: tomcat
    shodan-query: title:"Apache Tomcat"
    fofa-query: app="APACHE-Tomcat"
  tags: cve,cve2023,apache,tomcat,http-smuggling,passive

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{randstr}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 404'
          - 'contains(body, "Apache Tomcat/")'
          - 'regex("Apache Tomcat/(8\.5\.(0|[1-9]|[1-8][0-9]|9[0-3])|9\.0\.(0(-M\d+)?|[1-9]|[1-7][0-9]|80)|10\.1\.(0(-M\d+)?|[1-9]|1[0-3])|11\.0\.0-M([1-9]|1[01]))(?:[^0-9]|$)", body)'
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'Apache Tomcat/([0-9.]+(-M[0-9]+)?)'
# digest: 490a0046304402206a038997484e612cb2436f3bd7b07fe9d170302c859fda9db572f2962c30c2db02207ce22629f7151f1f786631f1e6b437e061ae447b090406fb3a8feba8c64ebd53:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID:

cve-2023-45648

CWE ID:

cwe-444

References

https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp https://hackerone.com/reports/2299692 https://nvd.nist.gov/vuln/detail/CVE-2023-45648

Remediation Steps

Upgrade to version 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 or later.

Description

id: CVE-2023-45648

info:
  name: Apache Tomcat - HTTP Request Smuggling
  author: 0x_Akoko
  severity: medium
  description: |
    Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers.
  impact: |
    Attackers can perform request smuggling, potentially leading to cache poisoning, session hijacking, or bypassing security controls.
  remediation: |
    Upgrade to version 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 or later.
  reference:
    - https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
    - https://hackerone.com/reports/2299692
    - https://nvd.nist.gov/vuln/detail/CVE-2023-45648
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-45648
    cwe-id: CWE-444
    epss-score: 0.62748
    epss-percentile: 0.984
  metadata:
    verified: false
    max-request: 1
    vendor: apache
    product: tomcat
    shodan-query: title:"Apache Tomcat"
    fofa-query: app="APACHE-Tomcat"
  tags: cve,cve2023,apache,tomcat,http-smuggling,passive

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{randstr}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 404'
          - 'contains(body, "Apache Tomcat/")'
          - 'regex("Apache Tomcat/(8\.5\.(0|[1-9]|[1-8][0-9]|9[0-3])|9\.0\.(0(-M\d+)?|[1-9]|[1-7][0-9]|80)|10\.1\.(0(-M\d+)?|[1-9]|1[0-3])|11\.0\.0-M([1-9]|1[01]))(?:[^0-9]|$)", body)'
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'Apache Tomcat/([0-9.]+(-M[0-9]+)?)'
# digest: 490a0046304402206a038997484e612cb2436f3bd7b07fe9d170302c859fda9db572f2962c30c2db02207ce22629f7151f1f786631f1e6b437e061ae447b090406fb3a8feba8c64ebd53:922c64590222798bb761d5b6d8e72950

Apache Tomcat - HTTP Request Smuggling

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Apache Tomcat - HTTP Request Smuggling

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps