sanic is vulnerable to HTTP Request Smuggling
74
High Risk
sanic's HTTP/1.1 server does not fully terminate chunked request bodies and leaves trailer bytes in the connection buffer, where they can be reparsed as a smuggled request on a keep-alive connection. The same release also fails to strip carriage return, line feed, and NUL characters from outgoing response header names and values, including cookie attributes and file download names, allowing response splitting and header injection when applications place untrusted data into headers. URLs longer than 65535 bytes are accepted even though the underlying parser stores URL component offsets as 16-bit integers that silently wrap and truncate the routed path or query string. The fix rejects non-empty chunked trailers and drops the connection, sanitizes response header names and values, and rejects oversized URLs with a 414 error.
You are affected if you are using a version that falls within the vulnerable range.
sanic is vulnerable to HTTP Request Smuggling in versions 21.3.0 - 25.12.0.
Upgrade the sanic library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant