CVE-2022-39348 MEDIUM

CVE-2022-39348: Twisted vulnerable to NameVirtualHost Host header injection

Vendor Twisted
Product twisted
Weakness CWE-80 · XSS · basic
Published October 26, 2022
Last update November 3, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Key dates

02Disclosure timeline

October 26, 2022 CVE published
November 3, 2025 Record updated