CVE-2024-33452 — HIGH (7.7)

Q: What is CVE-2024-33452?

CVE-2024-33452 is a vulnerability with a CVSS score of 7.7 (HIGH). An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request.

Q: How severe is CVE-2024-33452?

CVE-2024-33452 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-33452?

Check the references section above for vendor advisories and patch information. Affected products include: Openresty Lua-Nginx-Module.

Vulnerability Description

An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Openresty	Lua-Nginx-Module	<= 0.10.26

Related Weaknesses (CWE)

CWE-444

References

https://portswigger.net/research/http-desync-attacks-request-smuggling-rebornExploitThird Party Advisory
https://www.benasin.space/2025/03/18/OpenResty-lua-nginx-module-v0-10-26-HTTP-ReExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2025/06/msg00026.html

FAQ

What is CVE-2024-33452?

CVE-2024-33452 is a vulnerability with a CVSS score of 7.7 (HIGH). An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request.

How severe is CVE-2024-33452?

CVE-2024-33452 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-33452?

Check the references section above for vendor advisories and patch information. Affected products include: Openresty Lua-Nginx-Module.