#chunkloris

infosec

• chunkloris: actix-web — HTTP/1.1 chunked transfer encoding. actix-web 4.x. verdict: vulnerable per chunk.
• chunkloris: actix-web (h2c) — HTTP/2 (h2c) DATA frames. actix-web (h2c) 4.x. verdict: batches correctly.
• chunkloris: aioquic HTTP/3 example-style server — HTTP/3 DATA frames over QUIC. aioquic HTTP/3 example-style server aioquic 1.3.0. verdict: vulnerable per frame.
• chunkloris: Apache httpd (event MPM + mod_lua) — HTTP/1.1 chunked transfer encoding. Apache httpd (event MPM + mod_lua) 2.4.67. verdict: vulnerable per chunk.
• chunkloris: Apache httpd mod_http2 (h2c) — HTTP/2 (h2c) DATA frames. Apache httpd mod_http2 (h2c) 2.4.67. verdict: vulnerable per frame.
• chunkloris: axum (on hyper) — HTTP/1.1 chunked transfer encoding. axum (on hyper) 0.7 / hyper 1.x. verdict: vulnerable per chunk.
• chunkloris: bandit — HTTP/1.1 chunked transfer encoding. bandit 1.11.1. verdict: vulnerable per chunk.
• chunkloris: bandit (h2c) — HTTP/2 (h2c) DATA frames. bandit (h2c) 1.11.1. verdict: vulnerable per frame.
• chunkloris: cowboy — HTTP/1.1 chunked transfer encoding. cowboy 2.15.0 (cowlib 2.16.1, ranch 2.2.0). verdict: vulnerable per chunk.
• chunkloris: cowboy (h2c) — HTTP/2 (h2c) DATA frames. cowboy (h2c) 2.15.0 (cowlib 2.16.1, ranch 2.2.0). verdict: protected h2 goaway.
• chunkloris: daphne — HTTP/1.1 chunked transfer encoding. daphne 4.x. verdict: vulnerable per chunk.
• chunkloris: express — HTTP/1.1 chunked transfer encoding. express 5.2.1. verdict: vulnerable per chunk.
• chunkloris: falcon (h2c) — HTTP/2 (h2c) DATA frames. falcon (h2c) 0.49.0. verdict: vulnerable per frame.
• chunkloris: falcon (on async-http / protocol-http1) — HTTP/1.1 chunked transfer encoding. falcon (on async-http / protocol-http1) 0.49.0. verdict: vulnerable per chunk.
• chunkloris: fastify — HTTP/1.1 chunked transfer encoding. fastify 5.x. verdict: vulnerable per chunk.
• chunkloris: fastify (h2c) — HTTP/2 (h2c) DATA frames. fastify (h2c) 5.8.5. verdict: vulnerable per frame.
• chunkloris: gin — HTTP/1.1 chunked transfer encoding. gin 1.10.1. verdict: vulnerable per chunk.
• chunkloris: Go net/http + golang.org/x/net/http2 (h2c) — HTTP/2 (h2c) DATA frames. Go net/http + golang.org/x/net/http2 (h2c) go 1.23 + x/net v0.30. verdict: vulnerable per frame.
• chunkloris: gorilla/websocket — WebSocket text frames. gorilla/websocket v1.5.3 on go 1.23. verdict: batches correctly.
• chunkloris: granian — HTTP/1.1 chunked transfer encoding. granian 1.x. verdict: vulnerable per chunk.
• chunkloris: granian (ASGI h2c) — HTTP/2 (h2c) DATA frames. granian (ASGI h2c) 1.7.6. verdict: vulnerable per frame.
• chunkloris: gunicorn — HTTP/1.1 chunked transfer encoding. gunicorn 23.0.0. verdict: vulnerable per chunk.
• chunkloris: HAProxy (h2c frontend) — HTTP/2 (h2c) DATA frames. HAProxy (h2c frontend) 3.0.23. verdict: vulnerable per frame.
• chunkloris: HAProxy (with Lua applet for body sink) — HTTP/1.1 chunked transfer encoding. HAProxy (with Lua applet for body sink) 3.0.23. verdict: vulnerable per chunk.
• chunkloris: hyper 1.5 + h2 0.4 (h2c) — HTTP/2 (h2c) DATA frames. hyper 1.5 + h2 0.4 (h2c) hyper 1.5 / h2 0.4. verdict: batches correctly.
• chunkloris: hypercorn — HTTP/1.1 chunked transfer encoding. hypercorn 0.17.3. verdict: vulnerable per chunk.
• chunkloris: hypercorn — HTTP/2 (h2c) DATA frames. hypercorn 0.17.3. verdict: vulnerable per frame.
• chunkloris: hypercorn (HTTP/3) — HTTP/3 DATA frames over QUIC. hypercorn (HTTP/3) 0.17.3 + aioquic 1.3.0. verdict: vulnerable per frame.
• chunkloris: Kestrel — HTTP/1.1 chunked transfer encoding. Kestrel 9.0 (Microsoft.AspNetCore 9.0; bundled in mcr.microsoft.com/dotnet/aspnet:9.0). verdict: batches correctly.
• chunkloris: Kestrel (ASP.NET Core 9, h2c) — HTTP/2 (h2c) DATA frames. Kestrel (ASP.NET Core 9, h2c) 9.0. verdict: vulnerable per frame.
• chunkloris: Kestrel (ASP.NET Core 9, HTTP/3) — HTTP/3 DATA frames over QUIC. Kestrel (ASP.NET Core 9, HTTP/3) ASP.NET Core 9.0 + MsQuic. verdict: vulnerable per frame.
• chunkloris: Kestrel ASP.NET Core WebSockets — WebSocket text frames. Kestrel ASP.NET Core WebSockets ASP.NET Core 9.0 (mcr.microsoft.com/dotnet/aspnet:9.0); Microsoft.AspNetCore.WebSockets. verdict: batches correctly.
• chunkloris: net/http (stdlib) — HTTP/1.1 chunked transfer encoding. net/http (stdlib) go-1.23.12. verdict: vulnerable per chunk.
• chunkloris: nginx (openresty distribution) — HTTP/1.1 chunked transfer encoding. nginx (openresty distribution) 1.29.2.3 / openresty:alpine. verdict: vulnerable per chunk.
• chunkloris: nginx/openresty (h2c) — HTTP/2 (h2c) DATA frames. nginx/openresty (h2c) 1.29.2.3 / openresty:alpine. verdict: vulnerable per frame.
• chunkloris: node http.Server (built-in) — HTTP/1.1 chunked transfer encoding. node http.Server (built-in) node-22.22.3. verdict: vulnerable per chunk.
• chunkloris: node http2 (native) — HTTP/2 (h2c) DATA frames. node http2 (native) node-22. verdict: vulnerable per frame.
• chunkloris: phoenix — HTTP/1.1 chunked transfer encoding. phoenix 1.7 on plug_cowboy 2.7 / cowboy 2.15.0. verdict: vulnerable per chunk.
• chunkloris: phoenix on cowboy (h2c) — HTTP/2 (h2c) DATA frames. phoenix on cowboy (h2c) Phoenix 1.8.7 / plug_cowboy 2.8.1 / cowboy 2.15.0. verdict: protected h2 goaway.
• chunkloris: puma — HTTP/1.1 chunked transfer encoding. puma 6.4.3. verdict: vulnerable per chunk.
• chunkloris: quic-go HTTP/3 — HTTP/3 DATA frames over QUIC. quic-go HTTP/3 quic-go v0.54.0. verdict: vulnerable per frame.
• chunkloris: Spring Boot + Tomcat — HTTP/1.1 chunked transfer encoding. Spring Boot + Tomcat spring-boot-3.3.5 / tomcat-10.1. verdict: vulnerable per chunk.
• chunkloris: Spring Boot + Tomcat (h2c) — HTTP/2 (h2c) DATA frames. Spring Boot + Tomcat (h2c) spring-boot-3.3.5 / tomcat-10.1. verdict: protected h2 goaway.
• chunkloris: tokio-tungstenite — WebSocket text frames. tokio-tungstenite 0.24 on rust 1.83. verdict: batches correctly.
• chunkloris: tornado — HTTP/1.1 chunked transfer encoding. tornado 6.4.2. verdict: vulnerable per chunk.
• chunkloris: unicorn — HTTP/1.1 chunked transfer encoding. unicorn 6.1.0. verdict: vulnerable per chunk.
• chunkloris: uvicorn — HTTP/1.1 chunked transfer encoding. uvicorn 0.32.1. verdict: vulnerable per chunk.
• chunkloris: uvicorn — HTTP/1.1 chunked transfer encoding. uvicorn 0.32.1. verdict: vulnerable per chunk.
• chunkloris: uvicorn (websockets impl) — WebSocket text frames. uvicorn (websockets impl) uvicorn 0.32.1, websockets 13.1, starlette 0.41.3. verdict: vulnerable per frame.
• chunkloris: uvicorn (wsproto impl) — WebSocket text frames. uvicorn (wsproto impl) uvicorn 0.32.1, wsproto 1.2.0, starlette 0.41.3. verdict: vulnerable per frame.
• chunkloris: Vert.x — HTTP/1.1 chunked transfer encoding. Vert.x 4.5.10. verdict: vulnerable per chunk.
• chunkloris: Vert.x 4.5 (Netty h2c) — HTTP/2 (h2c) DATA frames. Vert.x 4.5 (Netty h2c) 4.5.10. verdict: batches correctly.
• chunkloris: waitress — HTTP/1.1 chunked transfer encoding. waitress 3.0.2. verdict: vulnerable per chunk.
• chunkloris: ws (Node) — WebSocket text frames. ws (Node) ws 8.18.0 on node 22-slim. verdict: batches correctly.