Description
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.
Remediation
References
https://github.com/ktorio/ktor/pull/1547
https://github.com/ktorio/ktor/security/advisories/GHSA-xrr9-rh8p-433v
Related Vulnerabilities
CVE-2017-12617 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2023-22578 Vulnerability in npm package sequelize
CVE-2021-21388 Vulnerability in npm package systeminformation
CVE-2019-16771 Vulnerability in maven package com.linecorp.armeria:armeria
CVE-2022-24846 Vulnerability in maven package org.geowebcache:gwc-diskquota-jdbc