CVE-2024-21733 Apache Tomcat HTTP Request Smuggling

CVE-2024-21733 Apache Tomcat HTTP Request Smuggling

Our security research team recently discovered a critical “0day” vulnerability which was assigned CVE-2024-21733. The vulnerability was discovered by xer0dayz from Sn1perSecurity LLC and allows attackers to force a victim’s browser to de-synchronize its connection with websites hosted on top of Apache Tomcat, causing sensitive data to be smuggled from the server and/or client connections. In some cases, this can leak sensitive data such as clear-text credentials.

Severity: CRITICAL | Exploit Available: Yes | Exploitability: Easy | Remotely Exploitable: Yes


Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable to client-side de-sync attacks. For more info regarding Client-Side De-Sync attacks, please refer to James Kettle’s research here: Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling


Vulnerabilities related to client-side de-synchronization (CSD) arise when a web server fails to accurately process the Content-Length of POST requests. Exploiting this issue enables an attacker to manipulate a victim’s browser, leading to a disconnection misalignment with the website. This manipulation can result in the unauthorized extraction of sensitive data from both server and client connections.

The severity of the impact varies based on the applications utilizing Tomcat as the backend web server, potentially exposing confidential information such as clear-text credentials. For instance, our team identified an instance in ManageEngine’s ADSelfService Plus portal prior to version 6304, where clear-text Active Directory credentials could be surreptitiously obtained from client connections as seen below.

For a full list of affected ManageEngine products and versions, please see for more details. Given the severity of this vulnerability, ManageEngine customers are strongly advised to upgrade to the latest build of the affected products immediately.

PoC / Exploit

Affected Software

Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable.

Product Description

The Apache Tomcat® software is an open source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations and Jakarta Authentication specifications.


Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.


A template to detect this vulnerability will be made available exclusively to Sn1per Professional and Sn1per Enterprise customers within 30 days of the patch being released.



xer0dayz from Sn1perSecurity LLC


Leave a Reply