Moderate severityNVD Advisory· Published Dec 27, 2020· Updated Aug 4, 2024

CVE-2020-35678

Description

Autobahn|Python before 20.12.3 allows redirect header injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Autobahn|Python before 20.12.3 allows redirect header injection, enabling HTTP header injection and potential session hijacking.

Vulnerability

Overview

CVE-2020-35678 is a redirect header injection vulnerability in Autobahn|Python versions prior to 20.12.3. The flaw occurs during HTTP redirect handling when the library fails to properly re-encode the URL, allowing an attacker-controlled redirect to inject arbitrary HTTP headers. [1][3]

Exploitation and

Attack Surface

An attacker can exploit this by crafting a malicious server response that includes a redirect URL containing encoded newline characters (e.g., %0d%0a). The vulnerable library processes this redirect without sanitizing or re-encoding the URL, thereby injecting additional HTTP headers into the subsequent request. This attack requires the attacker to control a server that the client connects to, or to perform a man-in-the-middle (MitM) attack on the connection. [3][4]

Impact

Successful exploitation enables an attacker to perform HTTP header injection, which could lead to request smuggling, session hijacking, or bypassing security controls such as same-origin policies. In scenarios where the client handles cookies or authentication tokens, the attacker may be able to steal or manipulate those credentials. [4]

Mitigation

The vulnerability is fixed in Autobahn|Python version 20.12.3 and later. Users are strongly advised to upgrade to this version or later. The fix ensures that URLs are properly re-encoded when handling redirect responses, preventing the injection of malicious headers. No workarounds have been documented for older versions. [1]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
autobahnPyPI	< 20.12.3	20.12.3

Affected products

Autobahn|Python/Autobahn|Pythondescription
crossbario/autobahn-pythonllm-create
Range: <20.12.3
ghsa-coords6 versions
pkg:pypi/autobahn pkg:rpm/opensuse/python-autobahn&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/python-autobahn&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/python-autobahn&distro=openSUSE%20Tumbleweed pkg:rpm/suse/python-autobahn&distro=SUSE%20Package%20Hub%2015%20SP1 pkg:rpm/suse/python-autobahn&distro=SUSE%20Package%20Hub%2015%20SP2
< 20.12.3+ 5 more
- (no CPE)range: < 20.12.3
- (no CPE)range: < 17.10.1-lp151.3.3.1
- (no CPE)range: < 17.10.1-lp152.4.3.1
- (no CPE)range: < 21.3.1-1.3
- (no CPE)range: < 17.10.1-bp151.4.3.1
- (no CPE)range: < 17.10.1-bp152.4.3.1

Patches

3960cbaa017a

fix deploy step

https://github.com/crossbario/autobahn-pythonTobias ObersteinDec 19, 2020via osv

commit

1 file changed · +1 −1

.github/workflows/main.yml+1 −1 modified

@@ -165,7 +165,7 @@ jobs:
         echo BUILD_DATE=`date -u +"%Y-%m-%d"` >> $GITHUB_ENV
         echo AUTOBAHN_VCS_REF=`git rev-parse --short ${GITHUB_SHA}` >> $GITHUB_ENV
         echo AUTOBAHN_BUILD_ID=$(date --utc +%Y%m%d)-$(git rev-parse --short ${GITHUB_SHA}) >> $GITHUB_ENV
-        echo AUTOBAHN_VERSION=$(grep -E '^(__version__)' ./autobahn-python/_version.py | cut -d ' ' -f3 | sed -e 's|[u"'\'']||g') >> $GITHUB_ENV
+        echo AUTOBAHN_VERSION=$(grep -E '^(__version__)' ./autobahn/_version.py | cut -d ' ' -f3 | sed -e 's|[u"'\'']||g') >> $GITHUB_ENV
 
     # - name: Set environment - 2
     #   run: |

f7b7ad5c1066

URL must be re-encoded when doing redirect (#1439)

https://github.com/crossbario/autobahn-pythonmeejahDec 18, 2020via osv

commit PR #1439

1 file changed · +3 −1

autobahn/websocket/protocol.py+3 −1 modified

@@ -58,6 +58,7 @@
 from autobahn.util import _maybe_tls_reason
 
 import txaio
+import hyperlink
 
 
 __all__ = ("WebSocketProtocol",
@@ -2646,7 +2647,8 @@ def processHandshake(self):
                         #
                         # https://localhost:9000/?redirect=https%3A%2F%2Ftwitter.com%2F&after=3
                         #
-                        url = self.http_request_params['redirect'][0]
+                        url = hyperlink.URL.from_text(self.http_request_params['redirect'][0])
+                        url = url.to_uri().normalize().to_text()
                         if 'after' in self.http_request_params and len(self.http_request_params['after']) > 0:
                             after = int(self.http_request_params['after'][0])
                             self.log.debug(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gwp7-vqr5-h33hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-35678ghsaADVISORY
autobahn.readthedocs.io/en/latest/changelog.htmlghsax_refsource_CONFIRMWEB
github.com/crossbario/autobahn-python/compare/v20.12.2...v20.12.3ghsax_refsource_MISCWEB
github.com/crossbario/autobahn-python/pull/1439ghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/autobahn/PYSEC-2020-25.yamlghsaWEB
pypi.org/project/autobahn/20.12.3ghsaWEB
pypi.org/project/autobahn/20.12.3/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000