CVE-2016-1000111
Description
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Twisted before 16.3.1 fails to sanitize the Proxy header, allowing remote attackers to redirect CGI outbound HTTP traffic via the httpoxy attack.
Overview
Twisted, an event-driven networking engine for Python, is vulnerable to an httpoxy attack (CVE-2016-1000111) in versions prior to 16.3.1. The software does not address RFC 3875 section 4.1.18 namespace conflicts, failing to protect CGI applications from untrusted client data in the HTTP_PROXY environment variable [1]. This allows an attacker to inject a malicious Proxy header into an HTTP request, which then becomes the HTTP_PROXY variable for CGI processes.
Attack
Vector
An attacker can exploit this vulnerability by sending a crafted HTTP request containing a Proxy header to a web server that uses Twisted's CGI implementation. The server naively passes the header value to the CGI subprocess as the HTTP_PROXY environment variable, without verifying the source of the data [1]. This attack requires no authentication and can be performed remotely over a network connection; the only prerequisite is that the CGI application makes outbound HTTP connections using the HTTP_PROXY variable.
Impact
If a CGI application uses HTTP_PROXY to route its outbound HTTP traffic (a common pattern), the attacker can redirect that traffic to an arbitrary proxy server under their control. This can lead to man-in-the-middle attacks, interception of sensitive data, or tampering with outbound requests from the application [1][2]. The vulnerability is part of a class of httpoxy issues that affected multiple languages and frameworks, including PHP, Go, Apache HTTPD, and others [2].
Mitigation
Twisted 16.3.1, released on August 15, 2016, fixes this vulnerability by properly sanitizing the Proxy header before CGI environment setup [4]. Users should upgrade to at least version 16.3.1 or later. The fix is included alongside other security improvements, such as fixing predictable session identifiers and insecure cookie handling [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
TwistedPyPI | < 16.3.1 | 16.3.1 |
Affected products
5- Twisted/Twisteddescription
- ghsa-coords4 versionspkg:pypi/twistedpkg:rpm/suse/python-Twisted&distro=SUSE%20Enterprise%20Storage%203pkg:rpm/suse/python-Twisted&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012
< 16.3.1+ 3 more
- (no CPE)range: < 16.3.1
- (no CPE)range: < 15.2.1-8.1
- (no CPE)range: < 15.2.1-8.1
- (no CPE)range: < 15.2.1-8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-3gqj-cmxr-p4x2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-1000111ghsaADVISORY
- www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2020-214.yamlghsaWEB
- twistedmatrix.com/pipermail/twisted-web/2016-August/005268.htmlghsax_refsource_CONFIRMWEB
- twistedmatrix.com/trac/ticket/8623ghsax_refsource_CONFIRMWEB
- www.openwall.com/lists/oss-security/2016/07/18/6ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.