CVE-2007-6245
Description
Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 allows remote attackers to modify HTTP headers for client requests and conduct HTTP Request Splitting attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player up to 9.0.48.0, 8.0.35.0, and 7.0.70.0 allows remote attackers to conduct HTTP Request Splitting attacks by modifying HTTP headers.
Vulnerability
Adobe Flash Player versions 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 contain a vulnerability that allows remote attackers to modify HTTP headers in client requests generated by the Flash Player. This enables HTTP Request Splitting attacks, where an attacker can inject arbitrary headers into HTTP requests made by the player. The affected versions are those prior to the fixes released in later updates [2].
Exploitation
An attacker must entice a user to open a specially crafted SWF file, typically via a web browser. The malicious Flash file can manipulate the HTTP headers of requests made by the Flash Player, allowing the attacker to inject additional headers or split the request into multiple HTTP messages. No authentication or special network position is required beyond the ability to deliver the SWF file to the victim [2].
Impact
Successful exploitation allows the attacker to conduct HTTP Request Splitting, which can lead to cache poisoning, session hijacking, cross-site scripting (XSS), or other attacks that rely on manipulating HTTP traffic. The attacker can modify or inject headers, potentially affecting the security of web applications that rely on proper HTTP request structure [2].
Mitigation
Adobe released updated versions of Flash Player to address this issue. Users should upgrade to Flash Player 9.0.115.0 or later for the 9.x branch, and corresponding updates for 8.x and 7.x branches. Red Hat issued advisory RHSA-2007-1126 [1] and Gentoo published GLSA 200801-07 [2] recommending the upgrade. No workaround is available for unpatched versions [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:adobe:flash_player:7.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:adobe:flash_player:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0:*:*:*:*:*:*:*
- Range: >=9.0, <=9.0.48.0; >=8.0, <=8.0.35.0; >=7.0, <=7.0.70.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- www.us-cert.gov/cas/techalerts/TA07-355A.htmlnvdUS Government Resource
- lists.opensuse.org/opensuse-security-announce/2007-12/msg00007.htmlnvd
- secunia.com/advisories/28157nvd
- secunia.com/advisories/28161nvd
- secunia.com/advisories/28213nvd
- secunia.com/advisories/28570nvd
- secunia.com/advisories/30507nvd
- securitytracker.com/idnvd
- sunsolve.sun.com/search/document.donvd
- www.adobe.com/support/security/bulletins/apsb07-20.htmlnvd
- www.gentoo.org/security/en/glsa/glsa-200801-07.xmlnvd
- www.redhat.com/support/errata/RHSA-2007-1126.htmlnvd
- www.securityfocus.com/bid/26929nvd
- www.securityfocus.com/bid/26969nvd
- www.vupen.com/english/advisories/2007/4258nvd
- www.vupen.com/english/advisories/2008/1724/referencesnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/39134nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9546nvd
News mentions
0No linked articles in our index yet.