CRITICAL🇵🇱 Wersja polska

CVE-2025-1867

CVSS 10.0v4.0pub. 2025-03-03upd. 2026-04-15

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in ithewei libhv allows HTTP Response Smuggling.This issue affects libhv: through 1.3.3.

🤖 AI Analysis
How it works

The vulnerability results from inconsistent interpretation of HTTP requests by the libhv library — a phenomenon known as HTTP Request/Response Smuggling. An attacker can craft a specially constructed HTTP request that will be interpreted differently by the frontend and backend servers (or by different traffic processing components). The discrepancy in interpretation allows smuggling of additional HTTP requests or responses that are not visible to intermediate security mechanisms. This does not require authentication or user interaction, and the attack is possible remotely over the network.

Impact

An attacker can gain unauthorized access to other users' data, bypass access control mechanisms, poison proxy caches, and consequently conduct further attacks on the infrastructure — including hijacking sessions or causing disclosure of sensitive information. The impact affects confidentiality, integrity, and availability of the system and related components.

Mitigation & patch

Apply patches available from the vendor according to the references (pull request #689 in the ithewei/libhv GitHub repository). It is recommended to update the libhv library to a version newer than 1.3.3 immediately after its release and monitor the official project repository to confirm patch availability.

Who is affected

The libhv library in all versions up to and including 1.3.3.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References