Moderate severityNVD Advisory· Published Jul 12, 2021· Updated Aug 3, 2024

Incorrect Transfer-Encoding handling with HTTP/1.0

CVE-2021-33037

Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat improperly parses HTTP transfer-encoding headers allowing request smuggling when behind a reverse proxy.

Vulnerability

Apache Tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46, and 8.5.0 to 8.5.66 incorrectly parse the HTTP Transfer-Encoding request header. The parsing fails in three ways: (1) ignoring the header if the client declares HTTP/1.0 response only; (2) honouring the identity encoding; (3) not ensuring chunked is the final encoding. This occurs in Tomcat's HTTP connector when behind a reverse proxy [1][2][3][4].

Exploitation

An attacker with network access to send HTTP requests to the reverse proxy can craft a request with a malformed Transfer-Encoding header that exploits Tomcat's parsing flaws. The reverse proxy forwards the request to Tomcat, which misinterprets the body boundaries, leading to request smuggling. No authentication is required, and the attacker must be able to control request headers [4].

Impact

Successful exploitation allows the attacker to smuggle a request past the reverse proxy, enabling request hijacking, cache poisoning, or bypass of security controls. The impact depends on the proxy configuration but can lead to disclosure of internal data or unauthorized actions [4].

Mitigation

Upgrade to Apache Tomcat 8.5.67, 9.0.47, or 10.0.7 or later. No workarounds are disclosed in the available references. Users on unsupported branches (8.5.x EOL, 10.0.x EOL) must upgrade to supported releases [1][2][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat:tomcatMaven	>= 10.0.0-M1, < 10.0.7	10.0.7
org.apache.tomcat:tomcatMaven	>= 9.0.0-M1, < 9.0.48	9.0.48
org.apache.tomcat:tomcatMaven	>= 8.5.0, < 8.5.68	8.5.68

Affected products

osv-coords32 versions
pkg:bitnami/tomcat pkg:maven/org.apache.tomcat/tomcat pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweed pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/javapackages-tools&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/javapackages-tools&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5 pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 8.5.0, < 8.5.67+ 31 more
- (no CPE)range: >= 8.5.0, < 8.5.67
- (no CPE)range: >= 10.0.0-M1, < 10.0.7
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-lp152.2.25.1
- (no CPE)range: < 9.0.36-13.1
- (no CPE)range: < 9.0.43-2.1
- (no CPE)range: < 2.0.1-13.1
- (no CPE)range: < 2.0.1-13.1
- (no CPE)range: < 2.0.1-13.1
- (no CPE)range: < 2.0.1-13.1
- (no CPE)range: < 2.0.1-13.1
- (no CPE)range: < 2.0.1-13.1
- (no CPE)range: < 9.0.36-4.63.1
- (no CPE)range: < 9.0.36-4.63.1
- (no CPE)range: < 9.0.36-4.63.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-13.1
- (no CPE)range: < 9.0.36-13.1
- (no CPE)range: < 9.0.36-3.71.1
- (no CPE)range: < 9.0.36-3.71.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-4.63.1
- (no CPE)range: < 9.0.36-4.63.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-3.71.1
- (no CPE)range: < 9.0.36-3.71.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-4.63.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.71.1
- (no CPE)range: < 9.0.36-3.71.1
Apache Software Foundation/Apache Tomcatv5
Range: Apache Tomcat 10 10.0.0-M1 to 10.0.6

Patches

19d11556d0db

Ensure chunked, if present, is the last encoding in the list

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +36 −10

java/org/apache/coyote/http11/Http11Processor.java+12 −1 modified

@@ -209,9 +209,20 @@ private static boolean statusDropsConnection(int status) {
      * supported, a 501 response will be returned to the client.
      */
     private void addInputFilter(InputFilter[] inputFilters, String encodingName) {
+        if (contentDelimitation) {
+            // Chunked has already been specified and it must be the final
+            // encoding.
+            // 400 - Bad request
+            response.setStatus(400);
+            setErrorState(ErrorState.CLOSE_CLEAN, null);
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("http11processor.request.prepare") +
+                          " Tranfer encoding lists chunked before [" + encodingName + "]");
+            }
+            return;
+        }
 
         // Parsing trims and converts to lower case.
-
         if (encodingName.equals("chunked")) {
             inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;

test/org/apache/coyote/http11/TestHttp11Processor.java+19 −9 modified

@@ -1838,47 +1838,53 @@ public void onError(Throwable throwable) {
 
     @Test
     public void testTEHeaderUnknown01() throws Exception {
-        doTestTEHeaderUnknown("identity");
+        doTestTEHeaderInvalid("identity", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown02() throws Exception {
-        doTestTEHeaderUnknown("identity, chunked");
+        doTestTEHeaderInvalid("identity, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown03() throws Exception {
-        doTestTEHeaderUnknown("unknown, chunked");
+        doTestTEHeaderInvalid("unknown, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown04() throws Exception {
-        doTestTEHeaderUnknown("void");
+        doTestTEHeaderInvalid("void", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown05() throws Exception {
-        doTestTEHeaderUnknown("void, chunked");
+        doTestTEHeaderInvalid("void, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown06() throws Exception {
-        doTestTEHeaderUnknown("void, identity");
+        doTestTEHeaderInvalid("void, identity", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown07() throws Exception {
-        doTestTEHeaderUnknown("identity, void");
+        doTestTEHeaderInvalid("identity, void", false);
     }
 
 
-    private void doTestTEHeaderUnknown(String headerValue) throws Exception {
+    @Test
+    public void testTEHeaderChunkedNotLast01() throws Exception {
+        doTestTEHeaderInvalid("chunked, void", true);
+    }
+
+
+    private void doTestTEHeaderInvalid(String headerValue, boolean badRequest) throws Exception {
         Tomcat tomcat = getTomcatInstance();
 
         // No file system docBase required
@@ -1902,7 +1908,11 @@ private void doTestTEHeaderUnknown(String headerValue) throws Exception {
         client.connect();
         client.processRequest(false);
 
-        Assert.assertTrue(client.isResponse501());
+        if (badRequest) {
+            Assert.assertTrue(client.isResponse400());
+        } else {
+            Assert.assertTrue(client.isResponse501());
+        }
     }

webapps/docs/changelog.xml+5 −0 modified

@@ -202,6 +202,11 @@
         Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
         clients. (markt)
       </fix>
+      <fix>
+        Ensure that if the transfer encoding header contains the
+        <code>chunked</code>, that the <code>chunked</code> encoding is the
+        final encoding listed. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

8874fa02e9b3

Ensure chunked, if present, is the last encoding in the list

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +36 −10

java/org/apache/coyote/http11/Http11Processor.java+12 −1 modified

@@ -451,9 +451,20 @@ private static boolean statusDropsConnection(int status) {
      * supported, a 501 response will be returned to the client.
      */
     private void addInputFilter(InputFilter[] inputFilters, String encodingName) {
+        if (contentDelimitation) {
+            // Chunked has already been specified and it must be the final
+            // encoding.
+            // 400 - Bad request
+            response.setStatus(400);
+            setErrorState(ErrorState.CLOSE_CLEAN, null);
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("http11processor.request.prepare") +
+                          " Tranfer encoding lists chunked before [" + encodingName + "]");
+            }
+            return;
+        }
 
         // Parsing trims and converts to lower case.
-
         if (encodingName.equals("chunked")) {
             inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;

test/org/apache/coyote/http11/TestHttp11Processor.java+19 −9 modified

@@ -1854,47 +1854,53 @@ public void onError(Throwable throwable) {
 
     @Test
     public void testTEHeaderUnknown01() throws Exception {
-        doTestTEHeaderUnknown("identity");
+        doTestTEHeaderInvalid("identity", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown02() throws Exception {
-        doTestTEHeaderUnknown("identity, chunked");
+        doTestTEHeaderInvalid("identity, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown03() throws Exception {
-        doTestTEHeaderUnknown("unknown, chunked");
+        doTestTEHeaderInvalid("unknown, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown04() throws Exception {
-        doTestTEHeaderUnknown("void");
+        doTestTEHeaderInvalid("void", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown05() throws Exception {
-        doTestTEHeaderUnknown("void, chunked");
+        doTestTEHeaderInvalid("void, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown06() throws Exception {
-        doTestTEHeaderUnknown("void, identity");
+        doTestTEHeaderInvalid("void, identity", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown07() throws Exception {
-        doTestTEHeaderUnknown("identity, void");
+        doTestTEHeaderInvalid("identity, void", false);
     }
 
 
-    private void doTestTEHeaderUnknown(String headerValue) throws Exception {
+    @Test
+    public void testTEHeaderChunkedNotLast01() throws Exception {
+        doTestTEHeaderInvalid("chunked, void", true);
+    }
+
+
+    private void doTestTEHeaderInvalid(String headerValue, boolean badRequest) throws Exception {
         Tomcat tomcat = getTomcatInstance();
 
         // No file system docBase required
@@ -1918,7 +1924,11 @@ private void doTestTEHeaderUnknown(String headerValue) throws Exception {
         client.connect();
         client.processRequest(false);
 
-        Assert.assertTrue(client.isResponse501());
+        if (badRequest) {
+            Assert.assertTrue(client.isResponse400());
+        } else {
+            Assert.assertTrue(client.isResponse501());
+        }
     }

webapps/docs/changelog.xml+5 −0 modified

@@ -216,6 +216,11 @@
         Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
         clients. (markt)
       </fix>
+      <fix>
+        Ensure that if the transfer encoding header contains the
+        <code>chunked</code>, that the <code>chunked</code> encoding is the
+        final encoding listed. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

a2c3dc4c9616

Ensure chunked, if present, is the last encoding in the list

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +36 −10

java/org/apache/coyote/http11/Http11Processor.java+12 −1 modified

@@ -209,9 +209,20 @@ private static boolean statusDropsConnection(int status) {
      * supported, a 501 response will be returned to the client.
      */
     private void addInputFilter(InputFilter[] inputFilters, String encodingName) {
+        if (contentDelimitation) {
+            // Chunked has already been specified and it must be the final
+            // encoding.
+            // 400 - Bad request
+            response.setStatus(400);
+            setErrorState(ErrorState.CLOSE_CLEAN, null);
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("http11processor.request.prepare") +
+                          " Tranfer encoding lists chunked before [" + encodingName + "]");
+            }
+            return;
+        }
 
         // Parsing trims and converts to lower case.
-
         if (encodingName.equals("chunked")) {
             inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;

test/org/apache/coyote/http11/TestHttp11Processor.java+19 −9 modified

@@ -1838,47 +1838,53 @@ public void onError(Throwable throwable) {
 
     @Test
     public void testTEHeaderUnknown01() throws Exception {
-        doTestTEHeaderUnknown("identity");
+        doTestTEHeaderInvalid("identity", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown02() throws Exception {
-        doTestTEHeaderUnknown("identity, chunked");
+        doTestTEHeaderInvalid("identity, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown03() throws Exception {
-        doTestTEHeaderUnknown("unknown, chunked");
+        doTestTEHeaderInvalid("unknown, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown04() throws Exception {
-        doTestTEHeaderUnknown("void");
+        doTestTEHeaderInvalid("void", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown05() throws Exception {
-        doTestTEHeaderUnknown("void, chunked");
+        doTestTEHeaderInvalid("void, chunked", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown06() throws Exception {
-        doTestTEHeaderUnknown("void, identity");
+        doTestTEHeaderInvalid("void, identity", false);
     }
 
 
     @Test
     public void testTEHeaderUnknown07() throws Exception {
-        doTestTEHeaderUnknown("identity, void");
+        doTestTEHeaderInvalid("identity, void", false);
     }
 
 
-    private void doTestTEHeaderUnknown(String headerValue) throws Exception {
+    @Test
+    public void testTEHeaderChunkedNotLast01() throws Exception {
+        doTestTEHeaderInvalid("chunked, void", true);
+    }
+
+
+    private void doTestTEHeaderInvalid(String headerValue, boolean badRequest) throws Exception {
         Tomcat tomcat = getTomcatInstance();
 
         // No file system docBase required
@@ -1902,7 +1908,11 @@ private void doTestTEHeaderUnknown(String headerValue) throws Exception {
         client.connect();
         client.processRequest(false);
 
-        Assert.assertTrue(client.isResponse501());
+        if (badRequest) {
+            Assert.assertTrue(client.isResponse400());
+        } else {
+            Assert.assertTrue(client.isResponse501());
+        }
     }

webapps/docs/changelog.xml+5 −0 modified

@@ -228,6 +228,11 @@
         Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
         clients. (markt)
       </fix>
+      <fix>
+        Ensure that if the transfer encoding header contains the
+        <code>chunked</code>, that the <code>chunked</code> encoding is the
+        final encoding listed. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

05f9e8b00f5d

Process T-E header from both HTTP 1.0 and HTTP 1.1. clients

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +35 −1

java/org/apache/coyote/http11/Http11Processor.java+3 −1 modified

@@ -750,7 +750,9 @@ private void prepareRequest() throws IOException {
         InputFilter[] inputFilters = inputBuffer.getFilters();
 
         // Parse transfer-encoding header
-        if (http11) {
+        // HTTP specs say an HTTP 1.1 server should accept any recognised
+        // HTTP 1.x header from a 1.x client unless the specs says otherwise.
+        if (!http09) {
             MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding");
             if (transferEncodingValueMB != null) {
                 List<String> encodingNames = new ArrayList<>();

test/org/apache/coyote/http11/TestHttp11Processor.java+28 −0 modified

@@ -1904,4 +1904,32 @@ private void doTestTEHeaderUnknown(String headerValue) throws Exception {
 
         Assert.assertTrue(client.isResponse501());
     }
+
+
+    @Test
+    public void testWithTEChunkedHttp10() throws Exception {
+
+        getTomcatInstanceTestWebapp(false, true);
+
+        String request =
+            "POST /test/echo-params.jsp HTTP/1.0" + SimpleHttpClient.CRLF +
+            "Host: any" + SimpleHttpClient.CRLF +
+            "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+            "Content-Type: application/x-www-form-urlencoded" +
+                    SimpleHttpClient.CRLF +
+            "Connection: close" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF +
+            "9" + SimpleHttpClient.CRLF +
+            "test=data" + SimpleHttpClient.CRLF +
+            "0" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF;
+
+        Client client = new Client(getPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest();
+        Assert.assertTrue(client.isResponse200());
+        Assert.assertTrue(client.getResponseBody().contains("test - data"));
+    }
 }

webapps/docs/changelog.xml+4 −0 modified

@@ -224,6 +224,10 @@
         in 2001. Requests using this transfer encoding will now receive a 501
         response. (markt)
       </fix>
+      <fix>
+        Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
+        clients. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

da0e7cb093cf

Process T-E header from both HTTP 1.0 and HTTP 1.1. clients

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +35 −1

java/org/apache/coyote/http11/Http11Processor.java+3 −1 modified

@@ -992,7 +992,9 @@ private void prepareRequest() throws IOException {
         InputFilter[] inputFilters = inputBuffer.getFilters();
 
         // Parse transfer-encoding header
-        if (http11) {
+        // HTTP specs say an HTTP 1.1 server should accept any recognised
+        // HTTP 1.x header from a 1.x client unless the specs says otherwise.
+        if (!http09) {
             MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding");
             if (transferEncodingValueMB != null) {
                 List<String> encodingNames = new ArrayList<>();

test/org/apache/coyote/http11/TestHttp11Processor.java+28 −0 modified

@@ -1920,4 +1920,32 @@ private void doTestTEHeaderUnknown(String headerValue) throws Exception {
 
         Assert.assertTrue(client.isResponse501());
     }
+
+
+    @Test
+    public void testWithTEChunkedHttp10() throws Exception {
+
+        getTomcatInstanceTestWebapp(false, true);
+
+        String request =
+            "POST /test/echo-params.jsp HTTP/1.0" + SimpleHttpClient.CRLF +
+            "Host: any" + SimpleHttpClient.CRLF +
+            "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+            "Content-Type: application/x-www-form-urlencoded" +
+                    SimpleHttpClient.CRLF +
+            "Connection: close" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF +
+            "9" + SimpleHttpClient.CRLF +
+            "test=data" + SimpleHttpClient.CRLF +
+            "0" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF;
+
+        Client client = new Client(getPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest();
+        Assert.assertTrue(client.isResponse200());
+        Assert.assertTrue(client.getResponseBody().contains("test - data"));
+    }
 }

webapps/docs/changelog.xml+4 −0 modified

@@ -212,6 +212,10 @@
         in 2001. Requests using this transfer encoding will now receive a 501
         response. (markt)
       </fix>
+      <fix>
+        Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
+        clients. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

506134f957a4

Process T-E header from both HTTP 1.0 and HTTP 1.1. clients

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +35 −1

java/org/apache/coyote/http11/Http11Processor.java+3 −1 modified

@@ -750,7 +750,9 @@ private void prepareRequest() throws IOException {
         InputFilter[] inputFilters = inputBuffer.getFilters();
 
         // Parse transfer-encoding header
-        if (http11) {
+        // HTTP specs say an HTTP 1.1 server should accept any recognised
+        // HTTP 1.x header from a 1.x client unless the specs says otherwise.
+        if (!http09) {
             MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding");
             if (transferEncodingValueMB != null) {
                 List<String> encodingNames = new ArrayList<>();

test/org/apache/coyote/http11/TestHttp11Processor.java+28 −0 modified

@@ -1904,4 +1904,32 @@ private void doTestTEHeaderUnknown(String headerValue) throws Exception {
 
         Assert.assertTrue(client.isResponse501());
     }
+
+
+    @Test
+    public void testWithTEChunkedHttp10() throws Exception {
+
+        getTomcatInstanceTestWebapp(false, true);
+
+        String request =
+            "POST /test/echo-params.jsp HTTP/1.0" + SimpleHttpClient.CRLF +
+            "Host: any" + SimpleHttpClient.CRLF +
+            "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+            "Content-Type: application/x-www-form-urlencoded" +
+                    SimpleHttpClient.CRLF +
+            "Connection: close" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF +
+            "9" + SimpleHttpClient.CRLF +
+            "test=data" + SimpleHttpClient.CRLF +
+            "0" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF;
+
+        Client client = new Client(getPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest();
+        Assert.assertTrue(client.isResponse200());
+        Assert.assertTrue(client.getResponseBody().contains("test - data"));
+    }
 }

webapps/docs/changelog.xml+4 −0 modified

@@ -198,6 +198,10 @@
         in 2001. Requests using this transfer encoding will now receive a 501
         response. (markt)
       </fix>
+      <fix>
+        Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
+        clients. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

eee0d024c1b3

Remove support for the identity T-E header value

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +78 −31

java/org/apache/coyote/http11/Http11Processor.java+2 −6 modified

@@ -212,11 +212,8 @@ private void addInputFilter(InputFilter[] inputFilters, String encodingName) {
 
         // Parsing trims and converts to lower case.
 
-        if (encodingName.equals("identity")) {
-            // Skip
-        } else if (encodingName.equals("chunked")) {
-            inputBuffer.addActiveFilter
-                (inputFilters[Constants.CHUNKED_FILTER]);
+        if (encodingName.equals("chunked")) {
+            inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
             for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
@@ -759,7 +756,6 @@ private void prepareRequest() throws IOException {
                 List<String> encodingNames = new ArrayList<>();
                 if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) {
                     for (String encodingName : encodingNames) {
-                        // "identity" codings are ignored
                         addInputFilter(inputFilters, encodingName);
                     }
                 } else {

test/org/apache/coyote/http11/TestHttp11Processor.java+70 −25 modified

@@ -253,31 +253,6 @@ private void doTestWithTEChunked(boolean withCL) throws Exception {
     }
 
 
-    @Test
-    public void testWithTEIdentity() throws Exception {
-        getTomcatInstanceTestWebapp(false, true);
-
-        String request =
-            "POST /test/echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
-            "Host: any" + SimpleHttpClient.CRLF +
-            "Transfer-encoding: identity" + SimpleHttpClient.CRLF +
-            "Content-Length: 9" + SimpleHttpClient.CRLF +
-            "Content-Type: application/x-www-form-urlencoded" +
-                    SimpleHttpClient.CRLF +
-            "Connection: close" + SimpleHttpClient.CRLF +
-                SimpleHttpClient.CRLF +
-            "test=data";
-
-        Client client = new Client(getPort());
-        client.setRequest(new String[] {request});
-
-        client.connect();
-        client.processRequest();
-        Assert.assertTrue(client.isResponse200());
-        Assert.assertTrue(client.getResponseBody().contains("test - data"));
-    }
-
-
     @Test
     public void testWithTESavedRequest() throws Exception {
         getTomcatInstanceTestWebapp(false, true);
@@ -1859,4 +1834,74 @@ public void onError(Throwable throwable) {
             // NO-OP
         }
     }
+
+
+    @Test
+    public void testTEHeaderUnknown01() throws Exception {
+        doTestTEHeaderUnknown("identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown02() throws Exception {
+        doTestTEHeaderUnknown("identity, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown03() throws Exception {
+        doTestTEHeaderUnknown("unknown, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown04() throws Exception {
+        doTestTEHeaderUnknown("void");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown05() throws Exception {
+        doTestTEHeaderUnknown("void, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown06() throws Exception {
+        doTestTEHeaderUnknown("void, identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown07() throws Exception {
+        doTestTEHeaderUnknown("identity, void");
+    }
+
+
+    private void doTestTEHeaderUnknown(String headerValue) throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        // No file system docBase required
+        Context ctx = tomcat.addContext("", null);
+
+        // Add servlet
+        Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet(false));
+        ctx.addServletMappingDecoded("/foo", "TesterServlet");
+
+        tomcat.start();
+
+        String request =
+                "GET /foo HTTP/1.1" + SimpleHttpClient.CRLF +
+                "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+                "Transfer-Encoding: " + headerValue + SimpleHttpClient.CRLF +
+                SimpleHttpClient.CRLF;
+
+        Client client = new Client(tomcat.getConnector().getLocalPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest(false);
+
+        Assert.assertTrue(client.isResponse501());
+    }
 }

webapps/docs/changelog.xml+6 −0 modified

@@ -192,6 +192,12 @@
         the empty token is at the start, middle or end of the list of tokens.
         (markt)
       </fix>
+      <fix>
+        Remove support for the <code>identity</code> transfer encoding. The
+        inclusion of this encoding in RFC 2616 was an error that was corrected
+        in 2001. Requests using this transfer encoding will now receive a 501
+        response. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

45d70a86a901

Remove support for the identity T-E header value

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +78 −31

java/org/apache/coyote/http11/Http11Processor.java+2 −6 modified

@@ -212,11 +212,8 @@ private void addInputFilter(InputFilter[] inputFilters, String encodingName) {
 
         // Parsing trims and converts to lower case.
 
-        if (encodingName.equals("identity")) {
-            // Skip
-        } else if (encodingName.equals("chunked")) {
-            inputBuffer.addActiveFilter
-                (inputFilters[Constants.CHUNKED_FILTER]);
+        if (encodingName.equals("chunked")) {
+            inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
             for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
@@ -759,7 +756,6 @@ private void prepareRequest() throws IOException {
                 List<String> encodingNames = new ArrayList<>();
                 if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) {
                     for (String encodingName : encodingNames) {
-                        // "identity" codings are ignored
                         addInputFilter(inputFilters, encodingName);
                     }
                 } else {

test/org/apache/coyote/http11/TestHttp11Processor.java+70 −25 modified

@@ -253,31 +253,6 @@ private void doTestWithTEChunked(boolean withCL) throws Exception {
     }
 
 
-    @Test
-    public void testWithTEIdentity() throws Exception {
-        getTomcatInstanceTestWebapp(false, true);
-
-        String request =
-            "POST /test/echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
-            "Host: any" + SimpleHttpClient.CRLF +
-            "Transfer-encoding: identity" + SimpleHttpClient.CRLF +
-            "Content-Length: 9" + SimpleHttpClient.CRLF +
-            "Content-Type: application/x-www-form-urlencoded" +
-                    SimpleHttpClient.CRLF +
-            "Connection: close" + SimpleHttpClient.CRLF +
-                SimpleHttpClient.CRLF +
-            "test=data";
-
-        Client client = new Client(getPort());
-        client.setRequest(new String[] {request});
-
-        client.connect();
-        client.processRequest();
-        Assert.assertTrue(client.isResponse200());
-        Assert.assertTrue(client.getResponseBody().contains("test - data"));
-    }
-
-
     @Test
     public void testWithTESavedRequest() throws Exception {
         getTomcatInstanceTestWebapp(false, true);
@@ -1859,4 +1834,74 @@ public void onError(Throwable throwable) {
             // NO-OP
         }
     }
+
+
+    @Test
+    public void testTEHeaderUnknown01() throws Exception {
+        doTestTEHeaderUnknown("identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown02() throws Exception {
+        doTestTEHeaderUnknown("identity, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown03() throws Exception {
+        doTestTEHeaderUnknown("unknown, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown04() throws Exception {
+        doTestTEHeaderUnknown("void");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown05() throws Exception {
+        doTestTEHeaderUnknown("void, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown06() throws Exception {
+        doTestTEHeaderUnknown("void, identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown07() throws Exception {
+        doTestTEHeaderUnknown("identity, void");
+    }
+
+
+    private void doTestTEHeaderUnknown(String headerValue) throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        // No file system docBase required
+        Context ctx = tomcat.addContext("", null);
+
+        // Add servlet
+        Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet(false));
+        ctx.addServletMappingDecoded("/foo", "TesterServlet");
+
+        tomcat.start();
+
+        String request =
+                "GET /foo HTTP/1.1" + SimpleHttpClient.CRLF +
+                "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+                "Transfer-Encoding: " + headerValue + SimpleHttpClient.CRLF +
+                SimpleHttpClient.CRLF;
+
+        Client client = new Client(tomcat.getConnector().getLocalPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest(false);
+
+        Assert.assertTrue(client.isResponse501());
+    }
 }

webapps/docs/changelog.xml+6 −0 modified

@@ -218,6 +218,12 @@
         the empty token is at the start, middle or end of the list of tokens.
         (markt)
       </fix>
+      <fix>
+        Remove support for the <code>identity</code> transfer encoding. The
+        inclusion of this encoding in RFC 2616 was an error that was corrected
+        in 2001. Requests using this transfer encoding will now receive a 501
+        response. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

3202703e6d63

Remove support for the identity T-E header value

https://github.com/apache/tomcatMark ThomasMay 10, 2021via ghsa

commit

3 files changed · +78 −31

java/org/apache/coyote/http11/Http11Processor.java+2 −6 modified

@@ -454,11 +454,8 @@ private void addInputFilter(InputFilter[] inputFilters, String encodingName) {
 
         // Parsing trims and converts to lower case.
 
-        if (encodingName.equals("identity")) {
-            // Skip
-        } else if (encodingName.equals("chunked")) {
-            inputBuffer.addActiveFilter
-                (inputFilters[Constants.CHUNKED_FILTER]);
+        if (encodingName.equals("chunked")) {
+            inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
             for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
@@ -1001,7 +998,6 @@ private void prepareRequest() throws IOException {
                 List<String> encodingNames = new ArrayList<>();
                 if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) {
                     for (String encodingName : encodingNames) {
-                        // "identity" codings are ignored
                         addInputFilter(inputFilters, encodingName);
                     }
                 } else {

test/org/apache/coyote/http11/TestHttp11Processor.java+70 −25 modified

@@ -255,31 +255,6 @@ private void doTestWithTEChunked(boolean withCL) throws Exception {
     }
 
 
-    @Test
-    public void testWithTEIdentity() throws Exception {
-        getTomcatInstanceTestWebapp(false, true);
-
-        String request =
-            "POST /test/echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
-            "Host: any" + SimpleHttpClient.CRLF +
-            "Transfer-encoding: identity" + SimpleHttpClient.CRLF +
-            "Content-Length: 9" + SimpleHttpClient.CRLF +
-            "Content-Type: application/x-www-form-urlencoded" +
-                    SimpleHttpClient.CRLF +
-            "Connection: close" + SimpleHttpClient.CRLF +
-                SimpleHttpClient.CRLF +
-            "test=data";
-
-        Client client = new Client(getPort());
-        client.setRequest(new String[] {request});
-
-        client.connect();
-        client.processRequest();
-        Assert.assertTrue(client.isResponse200());
-        Assert.assertTrue(client.getResponseBody().contains("test - data"));
-    }
-
-
     @Test
     public void testWithTESavedRequest() throws Exception {
         getTomcatInstanceTestWebapp(false, true);
@@ -1875,4 +1850,74 @@ public void onError(Throwable throwable) {
             // NO-OP
         }
     }
+
+
+    @Test
+    public void testTEHeaderUnknown01() throws Exception {
+        doTestTEHeaderUnknown("identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown02() throws Exception {
+        doTestTEHeaderUnknown("identity, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown03() throws Exception {
+        doTestTEHeaderUnknown("unknown, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown04() throws Exception {
+        doTestTEHeaderUnknown("void");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown05() throws Exception {
+        doTestTEHeaderUnknown("void, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown06() throws Exception {
+        doTestTEHeaderUnknown("void, identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown07() throws Exception {
+        doTestTEHeaderUnknown("identity, void");
+    }
+
+
+    private void doTestTEHeaderUnknown(String headerValue) throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        // No file system docBase required
+        Context ctx = tomcat.addContext("", null);
+
+        // Add servlet
+        Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet(false));
+        ctx.addServletMappingDecoded("/foo", "TesterServlet");
+
+        tomcat.start();
+
+        String request =
+                "GET /foo HTTP/1.1" + SimpleHttpClient.CRLF +
+                "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+                "Transfer-Encoding: " + headerValue + SimpleHttpClient.CRLF +
+                SimpleHttpClient.CRLF;
+
+        Client client = new Client(tomcat.getConnector().getLocalPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest(false);
+
+        Assert.assertTrue(client.isResponse501());
+    }
 }

webapps/docs/changelog.xml+6 −0 modified

@@ -206,6 +206,12 @@
         the empty token is at the start, middle or end of the list of tokens.
         (markt)
       </fix>
+      <fix>
+        Remove support for the <code>identity</code> transfer encoding. The
+        inclusion of this encoding in RFC 2616 was an error that was corrected
+        in 2001. Requests using this transfer encoding will now receive a 501
+        response. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4vww-mc66-62m6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-33037ghsaADVISORY
security.gentoo.org/glsa/202208-34ghsavendor-advisoryx_refsource_GENTOOWEB
www.debian.org/security/2021/dsa-4952ghsavendor-advisoryx_refsource_DEBIANWEB
github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8ghsaWEB
github.com/apache/tomcat/commit/19d11556d0db99df291df33605f137976d152475ghsaWEB
github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dcghsaWEB
github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88eghsaWEB
github.com/apache/tomcat/commit/506134f957a4be2c5b4a9334f7b3435fc954dbc1ghsaWEB
github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02ghsaWEB
github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0ghsaWEB
github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0bghsaWEB
github.com/apache/tomcat/commit/eee0d024c1b3171560c92eaba79dd6eb8eb11bcdghsaWEB
kc.mcafee.com/corporate/indexghsax_refsource_CONFIRMWEB
lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_MISCWEB
lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3EghsaWEB
lists.apache.org/thread/kovg1bft77xo34ksrcskh5nl50p69962ghsaWEB
lists.debian.org/debian-lts-announce/2021/08/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
security.netapp.com/advisory/ntap-20210827-0007ghsaWEB
security.netapp.com/advisory/ntap-20210827-0007/mitrex_refsource_CONFIRM
tomcat.apache.org/security-10.htmlghsaWEB
tomcat.apache.org/security-8.htmlghsaWEB
tomcat.apache.org/security-9.htmlghsaWEB
www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000