CVE-2022-35406 · A URL disclosure issue was discovered in Burp Suite before 2022.6.

01 · The Real Story

Like a lab microscope that can be tricked into scribbling the wrong label on one slide

CVE-2022-35406 affects Burp Suite Community and Professional before 2022.6. A malicious application can return a crafted response that Burp Repeater or Intruder misinterprets as a redirect when the analyst views it, causing unintended URL disclosure behavior inside the tester's workflow rather than a server-side compromise.

The published 4.3 / MEDIUM label is still too generous for patch triage at enterprise scale. The chain requires a human using a niche desktop security tool, pointing it at hostile content, and then viewing the crafted response in specific tabs; that is several layers of reachability friction before you get to an impact that is limited and non-persistent.

"This is a tester-workstation edge case, not an enterprise patch fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Attacker controls the response Burp user will inspect

The attacker needs a web application or endpoint that a Burp user will manually test with Burp Repeater or Burp Intruder. No exploit kit is required; a custom HTTP server or modified target response is enough because the trigger is the returned response content, not memory corruption or authentication bypass.

Conditions required:

Attacker can control or influence HTTP responses from a target the analyst is testing
A Burp user is actively using Repeater or Intruder against that target

Where this breaks in practice:

This is not unauthenticated exploitation against a production Burp server; it is a client-side issue on a tester workstation
Only organizations with Burp deployed to appsec or pentest users are in scope
The attacker usually has to be the target under test or already in a position to tamper with responses

Detection/coverage: Network vulnerability scanners will not meaningfully detect this path. This is mostly a version-inventory problem on analyst endpoints.

STEP 02

Craft the redirect-looking response

The attacker sends a response that Burp incorrectly treats as a redirect. PortSwigger's fix notes say the bug was caused by incorrectly interpreting a crafted response as a redirect, so exploitation is conceptually simple but tightly bound to this exact UI parsing behavior.

Conditions required:

Crafted response reaches the Burp tab intact
Victim is running a version earlier than 2022.6

Where this breaks in practice:

There is no evidence of broad weaponization or reliable mass exploitation tooling
The bug exists in a narrow workflow rather than all HTTP handling

Detection/coverage: EDR may see Burp making an unexpected follow-on request, but signature-based detection coverage is likely poor.

STEP 03

Human views the response in Repeater or Intruder

A user must actually view the crafted response in the affected Burp tabs. This matches the UI:R vector: no clickless exploit, no background wormability, and no server-side reach into unattended infrastructure.

Conditions required:

User interaction with the malicious response
Use of Repeater or Intruder specifically

Where this breaks in practice:

Analyst interaction is mandatory
Many Burp deployments are limited to a handful of security staff rather than broad enterprise fleets
Modern browser hardening, proxy isolation, and researcher caution reduce accidental exposure

Detection/coverage: Very limited. You might spot anomalous requests in Burp project logs or outbound proxy logs if the leaked URL generates an external request.

STEP 04

Burp discloses URL context

Impact is limited to URL disclosure / misdirected handling of redirect logic, not code execution, credential theft by default, or direct takeover of the workstation. In practice this is mostly a privacy and workflow-integrity issue for the tester and whatever target URLs are being handled in that session.

Conditions required:

Successful redirect misinterpretation
Presence of sensitive or internal URLs in the analyst workflow

Where this breaks in practice:

Blast radius is small and usually limited to the tester's current project context
No demonstrated privilege escalation or persistence from the CVE itself

Detection/coverage: Post-event validation is mainly manual: review Burp version, project history, and outbound requests to unexpected hosts.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No known active exploitation evidence located in authoritative public sources reviewed; this CVE is not in CISA KEV.
KEV status	Not listed in the CISA KEV catalog.
Proof-of-concept availability	No widely cited public PoC or weaponized repo surfaced in the source set. The attacker primitive appears trivial to reproduce with a custom crafted HTTP response, but there is no sign of mainstream offensive tooling adoption.
EPSS	User-supplied EPSS is 0.00256; third-party trackers currently show this CVE in a low percentile band (for example, Feedly shows about 0.06% / 25.5th percentile, while Tenable currently shows 0.00106), reinforcing the low exploitation expectation.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` — the key term is UI:R. This is a human-in-the-loop client-side bug with low direct impact.
Affected versions	NVD lists Burp Suite Community and Burp Suite Professional versions before 2022.6 as affected.
Fixed version	PortSwigger fixed it in Burp Suite 2022.6. The vendor release notes call it a low-severity security issue.
Exposure population	This is a desktop appsec tool used by a small analyst population, not a broadly internet-exposed service. Shodan/Censys/FOFA exposure counts are not a meaningful prioritization metric here because the vulnerable surface is the local tester workflow, not a public daemon.
Disclosure date	Published by NVD on 2022-07-08.
Reporter	PortSwigger credits Vrushabh Doshi for reporting the issue in the 2022.6 release notes.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.2/10)

The single biggest downward pressure is attacker reachability: exploitation requires a Burp user to manually inspect attacker-controlled content in Repeater or Intruder on a tester workstation. That makes this a narrow, post-selection client-side workflow bug with limited blast radius rather than an enterprise-wide remote compromise path.

HIGH Affected version range and fixed release

MEDIUM Real-world exploitability assessment

HIGH KEV / public exploitation absence

Why this verdict

Requires human interaction: the user must view a crafted response in Repeater or Intruder, which is classic UI:R friction and blocks unattended exploitation.
Requires a narrow attacker position: the adversary must control the target response path that a Burp analyst is testing, which implies a hostile test target or prior response tampering rather than broad internet reach.
Exposure population is tiny: Burp is a specialist desktop tool, not something installed across 10,000 general endpoints or internet-facing servers.
Impact is limited: this is URL disclosure / redirect misinterpretation, not RCE, auth bypass, credential dump, or domain-wide privilege escalation.
No exploitation signal: no KEV entry, no public campaign reporting, and low EPSS all push the score down further.

Why not higher?

There is no server-side compromise path here. To get to impact, the attacker needs both analyst interaction and the specific Burp workflow, and even then the outcome is limited compared with vulnerabilities that hand over execution, credentials, or privileged access.

Why not lower?

It is still a real security defect in a widely used security testing tool, and some organizations do point Burp at hostile or semi-hostile targets routinely. If your appsec team handles sensitive internal URLs, the disclosure behavior has enough operational relevance to keep it out of full IGNORE territory.

05 · Compensating Control

What to do — in priority order.

Upgrade Burp on security workstations — Move all Burp Community and Professional installs to 2022.6 or later as normal tooling hygiene. Because this is a LOW verdict, there is no SLA beyond backlog management; fold it into the next routine workstation or developer-tool refresh cycle.
Restrict Burp use to managed analyst endpoints — Keep Burp on hardened, centrally managed appsec or pentest systems so version inventory is easy and the exposed population stays small. For a LOW verdict, do this as standard hardening work rather than emergency response.
Force outbound web traffic through logging proxies — Route analyst workstations through an egress proxy so unexpected outbound requests triggered during testing leave artifacts. That gives you at least some visibility if crafted responses cause odd redirect behavior; implement as normal control improvement, not as an urgent hotfix.
Educate testers on hostile-target handling — Remind Burp users that the target under test can be malicious too, especially in bug bounty or third-party assessment work. This reduces accidental trust in tool UI behavior while you clear old versions from the fleet.

What doesn't work

A perimeter WAF does not help because the vulnerable component is the local Burp client, not your production web stack.
MFA is irrelevant; the bug does not depend on account takeover or authentication weakness.
Generic server vulnerability scans will not reliably flag exploit attempts because the problem lives in the analyst's desktop workflow, not the remote server being scanned.

06 · Verification

Crowdsourced verification payload.

Run this on the analyst workstation where Burp is installed, or from your software-audit tooling with file-system access to the Burp binary, installer, DMG, or JAR name. Invoke it with either a discovered version string or a Burp path, for example: python3 check_burp_cve_2022_35406.py /opt/BurpSuiteCommunity/burpsuite_community_v2022.5.jar or python3 check_burp_cve_2022_35406.py 2022.5; no admin rights are required unless your EDR blocks process execution.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_burp_cve_2022_35406.py
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / could not determine

import os
import re
import sys
import subprocess

FIXED_MAJOR = 2022
FIXED_MINOR = 6


def normalize_version(raw: str):
    if not raw:
        return None
    s = raw.strip()

    # Common Burp filename/version patterns:
    #   2022.6
    #   v2022.6
    #   v2022_6
    #   burpsuite_pro_v2022_6.jar
    m = re.search(r'(?:v)?(20\d{2})[._](\d+)', s)
    if m:
        return int(m.group(1)), int(m.group(2))

    # Fallback: any 4-digit year followed later by a dot/underscore and a minor
    m = re.search(r'(20\d{2}).*?[._](\d+)', s)
    if m:
        return int(m.group(1)), int(m.group(2))

    return None


def compare_version(ver):
    major, minor = ver
    if major < FIXED_MAJOR:
        return 'VULNERABLE'
    if major == FIXED_MAJOR and minor < FIXED_MINOR:
        return 'VULNERABLE'
    return 'PATCHED'


def try_command(path):
    candidates = [
        [path, '--version'],
        [path, '-version'],
        ['java', '-jar', path, '--version'],
        ['java', '-jar', path, '-version'],
    ]
    for cmd in candidates:
        try:
            proc = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=12)
            output = (proc.stdout or '') + '\n' + (proc.stderr or '')
            ver = normalize_version(output)
            if ver:
                return ver, ' '.join(cmd)
        except Exception:
            continue
    return None, None


def main():
    if len(sys.argv) != 2:
        print('UNKNOWN')
        print('Usage: python3 check_burp_cve_2022_35406.py <version-string-or-path>')
        sys.exit(2)

    arg = sys.argv[1]

    # If caller passed a raw version string
    ver = normalize_version(arg)
    if ver:
        result = compare_version(ver)
        print(result)
        print(f'Detected version: {ver[0]}.{ver[1]}')
        sys.exit(1 if result == 'VULNERABLE' else 0)

    # If caller passed a file path, inspect basename first
    if os.path.exists(arg):
        base = os.path.basename(arg)
        ver = normalize_version(base)
        if ver:
            result = compare_version(ver)
            print(result)
            print(f'Detected from filename: {base} -> {ver[0]}.{ver[1]}')
            sys.exit(1 if result == 'VULNERABLE' else 0)

        # Try executing/querying version
        ver, cmd = try_command(arg)
        if ver:
            result = compare_version(ver)
            print(result)
            print(f'Detected via command: {cmd} -> {ver[0]}.{ver[1]}')
            sys.exit(1 if result == 'VULNERABLE' else 0)

    print('UNKNOWN')
    print('Could not determine Burp version. Provide a Burp path whose filename includes the version, or pass the version string directly (example: 2022.5).')
    sys.exit(2)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not burn an emergency patch window on this one. Inventory Burp installs on appsec and pentest workstations, upgrade anything older than 2022.6 during normal tooling maintenance, and document that there is no mitigation SLA — treat as backlog hygiene and use the noisgate remediation SLA for LOW issues accordingly; if you want a control improvement, keep Burp traffic behind an egress proxy and on managed analyst endpoints, but there is no separate noisgate mitigation SLA action required here.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.