This page lists publicly disclosed CVE vulnerabilities affecting jetbrains ktor (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-29904 | In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible | [email protected] | 5.3 | 0.30% | 2025-03-12 | 2026-06-17 |
| CVE-2024-49580 | In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure | [email protected] | 5.3 | 0.34% | 2024-10-17 | 2026-06-17 |
| CVE-2023-45613 | In JetBrains Ktor before 2.3.5 server certificates were not verified | [email protected] | 6.8 | 0.30% | 2023-10-09 | 2026-06-17 |
| CVE-2023-45612 | In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE | [email protected] | 8.6 | 0.60% | 2023-10-09 | 2026-06-17 |
| CVE-2023-34339 | In JetBrains Ktor before 2.3.1 headers containing authentication data could be added to the exception's message | [email protected] | 3.3 | 0.21% | 2023-06-01 | 2026-06-17 |
| CVE-2022-48476 | In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible | [email protected] | 7.5 | 0.75% | 2023-04-24 | 2026-06-17 |
| CVE-2022-38180 | In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases | [email protected] | 5.3 | 0.61% | 2022-08-12 | 2026-06-17 |
| CVE-2022-38179 | JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack | [email protected] | 4.7 | 0.40% | 2022-08-12 | 2026-06-17 |
| CVE-2022-29930 | SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value. The issue was fixed in Ktor version 2.0.1. | [email protected] | 8.7 | 0.81% | 2022-05-12 | 2026-06-17 |
| CVE-2022-29035 | In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations | [email protected] | 3.3 | 0.58% | 2022-04-11 | 2026-06-17 |
| CVE-2021-43203 | In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly. | [email protected] | 7.5 | 0.84% | 2021-11-09 | 2026-06-17 |
| CVE-2021-25763 | In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by default. | [email protected] | 5.3 | 0.54% | 2021-02-03 | 2026-06-16 |
| CVE-2021-25762 | In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible. | [email protected] | 5.3 | 0.81% | 2021-02-03 | 2026-06-16 |
| CVE-2021-25761 | In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible. | [email protected] | 5.3 | 0.54% | 2021-02-03 | 2026-06-16 |
| CVE-2020-26129 | In JetBrains Ktor before 1.4.1, HTTP request smuggling was possible. | [email protected] | 6.5 | 0.76% | 2020-11-16 | 2026-06-16 |
| CVE-2020-5207 | In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator. | [email protected] | 5.4 | 0.76% | 2020-01-27 | 2026-06-16 |
| CVE-2019-19389 | JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting. | [email protected] | 5.4 | 0.83% | 2019-12-26 | 2026-06-16 |
| CVE-2019-19703 | In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location. | [email protected] | 6.1 | 0.64% | 2019-12-10 | 2026-06-16 |
| CVE-2019-12737 | UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials. | [email protected] | 5.3 | 0.68% | 2019-10-02 | 2026-06-16 |
| CVE-2019-12736 | JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol, leading to command injection. | [email protected] | 9.8 | 2.22% | 2019-10-02 | 2026-06-16 |