Intel

AIKIDO-2026-659287

sanic is vulnerable to HTTP Request Smuggling

HTTP Request Smuggling Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

74

High Risk

This Affects:

PYTHONsanic
21.3.0 - 25.12.0
Fixed in 25.12.1
Are you affected? Scan for Free

TL;DR

sanic's HTTP/1.1 server does not fully terminate chunked request bodies and leaves trailer bytes in the connection buffer, where they can be reparsed as a smuggled request on a keep-alive connection. The same release also fails to strip carriage return, line feed, and NUL characters from outgoing response header names and values, including cookie attributes and file download names, allowing response splitting and header injection when applications place untrusted data into headers. URLs longer than 65535 bytes are accepted even though the underlying parser stores URL component offsets as 16-bit integers that silently wrap and truncate the routed path or query string. The fix rejects non-empty chunked trailers and drops the connection, sanitizes response header names and values, and rejects oversized URLs with a 414 error.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

sanic is vulnerable to HTTP Request Smuggling in versions 21.3.0 - 25.12.0.

How to fix this

Upgrade the sanic library to the patch version.