CVE-2020-1935
HTTP Request Smuggling vulnerability in org.apache.tomcat.embed:tomcat-embed-core

HTTP Request Smuggling No known exploit

What is CVE-2020-1935 About?

Apache Tomcat versions 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99 contain an HTTP header parsing vulnerability. This flaw allows specific invalid HTTP headers to be parsed as valid, potentially leading to HTTP Request Smuggling. Exploitation is difficult and relies on a very specific reverse proxy configuration.

Affected Software

  • org.apache.tomcat.embed:tomcat-embed-core
    • >9.0.0, <9.0.31
    • >8.0.0, <8.5.51
    • <7.0.100
  • org.apache.tomcat:tomcat
    • >9.0.0, <9.0.31
    • >8.0.0, <8.5.51
    • <7.0.100

Technical Details

The vulnerability lies in how Apache Tomcat (specifically, its HTTP header parsing code) in the affected versions handles end-of-line characters, allowing some malformed HTTP headers to be interpreted as valid. This non-standard parsing can be exploited for HTTP Request Smuggling when Tomcat is deployed behind a reverse proxy. If the reverse proxy interprets the malformed 'Transfer-Encoding' header differently than Tomcat, an attacker can send a request that the proxy sees as one request but Tomcat sees as two. This desynchronization allows the attacker to 'smuggle' a second, malicious request within the first. The second request can then be prepended to the next legitimate request that the proxy forwards to Tomcat, potentially allowing the attacker to bypass access controls, execute unauthorized actions, or poison web caches. The specific condition for this vulnerability is a reverse proxy that incorrectly handles the invalid 'Transfer-Encoding' header in a certain manner (e.g., ignoring it or treating it as valid), leading to a disconnect with Tomcat's parsing.

What is the Impact of CVE-2020-1935?

Successful exploitation may allow attackers to bypass security controls, gain unauthorized access to internal resources, poison web caches, or perform unauthorized actions on behalf of other users.

What is the Exploitability of CVE-2020-1935?

Exploitation is considered difficult and has very specific prerequisites: the vulnerable Tomcat instance must be situated behind a reverse proxy, and that proxy must handle malformed 'Transfer-Encoding' headers in a way that causes a desynchronization with Tomcat's parsing. There are no authentication requirements for the initial smuggling attempt, as it targets the HTTP parsing mechanism. No specific privileges are needed beyond being able to send HTTP requests to the reverse proxy. This is a remote exploit. The stated likelihood of such a reverse proxy configuration being present is low, significantly reducing the practical risk of exploitation. However, if such a vulnerable setup exists, the impact can be severe. The main risk factor is an unusual or misconfigured reverse proxy setup in front of Tomcat.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-1935?

Available Upgrade Options

  • org.apache.tomcat:tomcat
    • <7.0.100 → Upgrade to 7.0.100
  • org.apache.tomcat:tomcat
    • >8.0.0, <8.5.51 → Upgrade to 8.5.51
  • org.apache.tomcat:tomcat
    • >9.0.0, <9.0.31 → Upgrade to 9.0.31
  • org.apache.tomcat.embed:tomcat-embed-core
    • <7.0.100 → Upgrade to 7.0.100
  • org.apache.tomcat.embed:tomcat-embed-core
    • >8.0.0, <8.5.51 → Upgrade to 8.5.51
  • org.apache.tomcat.embed:tomcat-embed-core
    • >9.0.0, <9.0.31 → Upgrade to 9.0.31

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-1935?

Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-38546 , CVE-2022-26377 , CVE-2021-39417 , CVE-2019-15888

All Rights reserved 2025
Privacy Policy