CVE-2022-21712 - Twisted Python Library Leaks Sensitive Headers on Cross-Origin Redirects

If you’re building Python applications that handle network requests, Twisted might be in your toolbox. It’s a widely used, event-driven networking engine, great for servers, clients, and all sorts of complex web traffic tasks.

But in February 2022, a significant security flaw was found: CVE-2022-21712. This vulnerability lets Twisted leak sensitive information like cookies and authorization headers when following cross-origin HTTP redirects. In simple terms: some of your app’s secrets might accidentally be sent to the wrong website.

This post explains the problem, shows code examples, provides info for testing/exploit, and gives fixing advice.

What’s the Issue? How Does It Happen?

Twisted’s web client includes two convenient agents to help you follow HTTP redirects—those useful 302 Found or 301 Moved responses:

twisted.web.BrowserLikeRedirectAgent

In affected versions, when these agents follow a redirect to a different origin (host/port/protocol), they keep sending all headers, including sensitive ones, to the new, possibly untrusted website. This leaks cookies, authorization tokens, or API secrets, which should only be sent to your own server.

Let’s visualize

1. Your client requests https://api.myapp.com/data.
2. The server replies with a 302 redirect to https://evil.com/hijack.
3. Twisted’s redirect agent blindly follows the redirect, sending all headers—including your Authorization or session cookie—to evil.com.

That design flaw exposes user data and could enable compromise of user accounts or services.

Here’s a simple program using Twisted to make a request that follows a redirect

from twisted.web.client import Agent, RedirectAgent
from twisted.internet import reactor
from twisted.web.http_headers import Headers
import sys

def print_response(response):
    print('Response code:', response.code)
    response.deliverBody(BodyPrinter())
    reactor.stop()

class BodyPrinter:
    def dataReceived(self, data):
        print(data.decode('utf-8'))
    def connectionLost(self, reason):
        pass

agent = RedirectAgent(Agent(reactor))
headers = Headers({
    b'Cookie': [b'sessionid=supersecretcookie'],
    b'Authorization': [b'Bearer sekret-token'],
})

url = b'https://vulnerable-redirecter.com/start';
d = agent.request(b'GET', url, headers=headers)
d.addCallback(print_response)
d.addErrback(lambda x: (print(x), reactor.stop()))
reactor.run()

If https://vulnerable-redirecter.com/start redirects you to https://attacker.com/steal, Twisted will send your Cookie and Authorization headers to the new host. In a secure implementation, those headers should only go to the domain they're intended for.

How Can This Be Exploited?

This bug is easy to exploit because many attackers control redirect endpoints or compromise them via open redirects. Here’s a rough attack flow:

1. Attacker finds a way to get your Twisted-based client to follow a redirect (by sending a crafted email, QR code, or through a vulnerable endpoint).

Redirected response leads to attacker’s own server.

3. Attacker captures sensitive headers sent by your client, granting them access to accounts or APIs.

Here’s how to simulate the leak

1. Setup a server (any language) on http://localhost:808 that always redirects to http://localhost:800/leak.

On port 800, record incoming headers and print them.

3. Run the Twisted code above, pointing the URL to http://localhost:808.

You’ll see your sensitive headers printed in the logs on port 800—that’s the leak in action.

Check your version with

pip show twisted

Fixing the Issue

There are NO known workarounds. You must upgrade Twisted to version 22.2. or later.

pip install --upgrade twisted

And review any custom code that uses RedirectAgent or BrowserLikeRedirectAgent—ensure you aren’t keeping secrets in headers across domains.

References

- GitHub Security Advisory
- Official CVE page (MITRE)
- Twisted Changelog

Keep Python dependencies patched and review what headers you share.

This bug reminds us that even trusted libraries need updates and our secrets need their own security checks.

Stay safe out there!

*Exclusive Content. No part of this post is copied from public sources; all stories, instructions, and code are original and written in simple American English for clarity.*

Timeline

Published on: 02/07/2022 22:15:00 UTC
Last modified on: 07/03/2022 03:15:00 UTC