Kallithea Security Notice CVE-2016-3691

CSRF protection bypass


A vulnerability has been found in Kallithea.


Routes allows GET requests to override the HTTP method, which breaks the Kallithea CSRF protection (which only applies to POST requests).

The attacker might misuse GET requests method overriding to trick user into issuing a request with a different method, thus bypassing the CSRF protection.


Søren Løvborg wrote a patch fixing the issue, which is included in the release 0.3.2. Users are advised to upgrade as soon as possible.

Affected versions

As far as we know, the issue is present in all previously released Kallithea versions.


  1. CVE-2016-3691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3691

  2. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/9b74296e6af624023970d8634e804b76ed2dd2b4