CVE-2022-39348 - How an Old Twisted Virtual Host Bug Could Lead to HTML Injection

The security of web frameworks often relies on the little details—especially around how headers and errors are managed. A good example is CVE-2022-39348, a vulnerability that affected the popular Python Twisted networking engine.

In this post, we’ll break down what this vulnerability was, explore how it could be exploited, show you the code, and help you understand why you should care—even if exploiting it isn't trivial in the real world.

What Is Twisted?

Twisted is a powerful event-driven networking engine written in Python. It lets you build servers and clients for protocols like HTTP, SSH, IRC, and more—many tools and web services rely on it.

One of Twisted’s web features is virtual hosting, which lets a single instance respond as different websites depending on the Host: header.

The Vulnerability (CVE-2022-39348)

Reported: October 2022
Affected: All Twisted versions from .9.4 up to 22.10.rc1
Patched: 22.10.rc1

The Problem in Simple Terms

If you use twisted.web.vhost.NameVirtualHost to serve multiple hosts, and someone sends a request with a Host: header that doesn't match any configured site, Twisted gives a special error.

But here's the bug: the error page includes the raw Host: value from the request without escaping it. If the Host: contains HTML or JavaScript, it gets rendered right into the 404 error page. This exposes the app to HTML or script injection (a kind of Cross-Site Scripting, or XSS).

Most normal users and browsers won’t allow you to set the Host: header arbitrarily.

- Attackers would need a way to poison or intercept requests—meaning they already have some privileged network role.

Here’s the buggy logic from the Twisted source

def render(self, request):
    host = request.getRequestHostname().decode("utf-8")
    return ("No such resource for host %s" % host).encode("utf-8")

If you send something like

GET / HTTP/1.1
Host: <script>alert('XSS')</script>

The response will be

No such resource for host <script>alert('XSS')</script>

When viewed in a browser, this script tag executes.

Exploit Example

While standard browsers restrict how the Host: header can be manipulated, a script, a browser plug-in, or a tool like curl or burp can set it.

Exploit with curl

curl -s -H "Host: <script>alert(1)</script>" http://victim.site/

Vulnerable server’s response

<html>
<body>
No such resource for host <script>alert(1)</script>
</body>
</html>

If a user could be tricked into loading this page (perhaps via an open proxy or similar attack), malicious scripts could run in the user’s browser.

Fix and Recommendation

Fixed In: Twisted 22.10.rc1

The patch escapes the header before rendering it.

If you're using Twisted for virtual hosting, upgrade to at least Twisted 22.10.rc1.

pip install --upgrade twisted

No workarounds are known. If you can't upgrade, do not use NameVirtualHost.

References

- Original advisory
- Twisted issue tracker
- Twisted upgrade instructions

Conclusion

CVE-2022-39348 is a reminder that even obscure configuration errors—like echoing a user-supplied host header into an error page—can be a security issue. While it’s hard to exploit in practice, updating is the only safe move.

If your infrastructure or partners use Twisted with virtual hosts, make sure you’re patched, and always treat input—even headers—as untrusted. Stay safe!


*This post was made exclusively for you, in simple language, to keep security easy to understand.*

Timeline

Published on: 10/26/2022 20:15:00 UTC
Last modified on: 03/08/2023 01:07:00 UTC