CHANGELOG.md

May 8, 2026 · View on GitHub

Changelog:

  • 2.6

Updated:
- New payloads (sorted and add news payloads)
- Fix bugs
- Uncommon header updated, Integrating scans of source files (HTML, JS, etc.) to identify headers that are not commonly used
- Added a cache poisoning check by testing whether a body is added to the GET request to verify if it is cached
- If the "hu" option isn't enough and the WAF is very sensitive, you can now use the "stealth" option, which replaces Python's default requests.Session with a curl_cffi-backed session that impersonates a real Chrome 120 browser at the TLS level
- Fix multi-threading false positives: per-URL combo tracking, UUID cache busters to prevent cross-thread cache collisions, and domain-level WAF lock so all threads pause together instead of hammering the targe

  • 2.5

Updated:
- News payloads
- Fixed bugs
- Linting
- Technologies testing remake
- Correction of over half of false positives
- Rename modules header_checks
- Better WAF detection & timeout
News:
- False positive baseline in "utils.py"
- Centralization of the main requests made for CP/CPDoS scans in "global_requests.py"
- HHMP CPDoS module, Host Header Manipulation Poisoning, likely host header injection but some different
- Generates an interactive HTML report from scan results with -o option (export json/csv in HTML)

  • 2.4

Updated:
- New payloads
- Fix bugs
- Recalibration of WAF detection
News:
- CFP module: change format page poisoning (html > json....)

  • 2.3

Updated:
- Renames files and directory
- Linting
- Fixed proxy bugs
- fixed basic_cpdos bugs
Deleted:
- tools/*
- modules/lists/lowercase-headers.lst
- modules/lists/paraminer-wordlist.lst
News:
- cache_poisoning.py 
- modules/lists/wcp_headers.lst

  • 2.2

Updated:
- Menu in README.md
- Add payloads
- Remake paraminer list
- Linting
- Fixed bugs
News:
- print_utils.py in utils directory

  • 2.1

Updated:
- Fixed cpdos_main: Reworking the source code to avoid FP and improve detection, as well as being able to send headers not authorized by the basic requests library & recreating a “fresh” session before launching the cpdos modules
- New payloads
- Fixed logic and style bug
News:
- CVE-2025-57822 module check
- Add random user-agent during cpdos to avoid overly strict waf

  • 2.0

New:
- HTTP proxy module, you can send behavior and confirmed request directly in burp (or other HTTP proxy) now (utils/proxy.py)
- Check CVE-2021-27577 by Claude AI
- Multiple method poisoning analysis (modules/cp_check/methods_poisoning)
	- Fat methods poisoning
	- Cross Mixed Methods CPDoS (Cross-method cache poisoning, negative caching, Mix methods)
- Origin CORS DoS by Geluchat
- Uncommon header analysis (retrieves the non-common headers from the request and replays them for testing purposes)
- Debug headers checks
- PR and push are now checked against formatting, linting, type checking, security checking and regression testing (quality workflow)
- Version handles beta versioning now
- DX : Small Test Bed to verify regression
Updated:
- setup and requirements consolidated into pyproject.toml
- dockerfile is now in sync with how hexhttp is installed
- headerfuzz dictionary was overwriting its payloads using the same key
- Banner and version concerns are now separated
- technologies module got renamed to align with class name
- Proxy and Burp options allows to specify proxy server to pass issues or whole traffic
- Fixed bugs
- Remake server_error checks
- Remake Helper (-h) & README.md
- Unrisk page checking on the last CVE
- New payloads
	- upgrade H2C DoS by Geluchat
- BIG Linting
	- Added "utils" repository
	- Moving certain files/folders/functions to linting
	- Implementation of the cli.py file to lighten hexhttp.py
- HTTP Version & protocol analysis updated
- Vhosts misconfiguration analysis updated
- Methods analysis updated
Deleted:
- Cookies reflection tests (already completed in other modules)
- vuln_notify feature never really implemented and was too platform specific

  • 1.9.2

News
- New cve module to check Next.js CPDoS by Zhero research and Wlayzz PoC (CVE-2025-49826)
Updated:
- Updated TODO list
- Updated HTTP method checks (+50 added)
- Fixed bugs

  • 1.9.1

News
- Added only cache poisoning option (--ocp)
Updated:
- Linting of the http methods module and addition of +50 new methods to be check
- Fixed bugs

  • 1.9

News
- New module to check cache poisoning via backslash transformation
- New Akamai check (https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/#How-to-prevent) + Linting
Updated:
- Cleaning and tidying up threads
- Fixed header add by -H option, now you can add multiple headers, exemple: -H "toto: titi" -H "plop: plip"
- News payloads
- Fixed bugs/FP

  • 1.8

News
- New cve module to check Next.js CPDoS Zhero research (CVE-2025-29927)
- New module to check cache poisoning via path traversal (Thanks to 0xrth !)
- Proxy features (-p option)
Updated:
- News payloads
- Fixed bugs/FP
- Linting
- requirement.txt

  • 1.7.6

News
- Check your HExHTTP version 
- New cve module to check Nuxt.js CPDoS Zhero research (CVE-2025-27415)
Updated:
- News payloads (headers, methods and http version)
- Fixed bugs/FP
- Linting

  • 1.7.5

News
- Add a folder/check containing more-less well-known CVEs linked to headers or cache
- Add proxy feature [In Progress]
Updated:
- News payloads (~1k)
- Fixed bugs/FP
- Linting

  • 1.7.4

News:
- New cve module to check Nextjs cache poisoning Zhero research
Updated:
- Reduce FP
- Change "CACHE" by "CACHETAG" to avoid confusion
- Clean-up and remodeling of module file/folder architecture
- cache_poisoining_file => cache_poisoining__nf_file: total reconstruction of the module, to check on source files (js/css) that do not exist whether it is possible to inject text into the header or body and cache it

  • 1.7.3

News:
- Sponsors button
Updated:
- News payloads and fix on HMO modules (~800)
- Fixed issues

  • 1.7.2

News:
- New module for "human" scan, personal timesleep or random (0-5s) to each requests
Updated:
- News payloads
- Rename module modules/cpdos/cache_error.py -> modules/cpdos/basic_cpdos.py 

  • 1.7.1

News:
- New module for multiple headers cache error based on @0xrth observations (mutliple_headers.py)
- New file __init__.py in lists directory to add functionality to load payloads from files
Updated:
- commenting on the notification (notify-py)
- News payloads
- Linting
- Fixed bugs

  • 1.7

News:
- Logging management
- Error logs management
Updated:
- ANSI banner at startup
- Fixed bugs
- Cache tag color
- Big linting and refactoring
- News payloads

  • 1.6.3

Updated:
- News payload error endpoints (+600)
- Fixed errors and FP
- big start of refacto/lint from @Kharaone 

  • 1.6.2

Updated:
- News payload error endpoints (+500)
- CPDoS live tracking
- Fixed and reducted FP

  • 1.6.1

Updated:
- News payload error endpoints (+400)

  • 1.6

Updated:
- New file "payloads_errors.py" which lets you directly add payloads for CPDoS, and currently offers more than 200 payloads with various technologies
- Check js/css url during the CPDoS check
- Reduct FP

  • 1.5.9

Updated:
- Fix hho & hmo modules
- update README screenshot
- Reduct FP

  • 1.5.8

Updated:
- News endpoints for CPDoS
- fixed any bugs (cookie problems)
- Updated Akamai tests
Deleted:
- range_check.py (directly in cache_error tests)

  • 1.5.7

Updated:
- News endpoints for CPDoS
- fixed any bugs
- New banner

  • 1.5.6

Updated:
- News endpoints based on https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
- Updated CPDoS with different response size

  • 1.5.5

Updated:
- New endpoints on cache_error.py
- Fix display bugs
News:
- Vercel tests

  • 1.5.4

Updated:
- New endpoints on headerfuzz, HMO, HMC & HMO module
- Fix of header argument missing in some functions
- Fix on CPDoS module, deleted old tests, reduce FP

  • 1.5.3

Updated:
- all file's imports for code optimization
- short description for vulnerabilities and link reference
- minors bug fix 
New: 
- modules/utils.py file for code optimization

  • 1.5.2

Updated:
- Add check on Akamai module
- fix hbh fp

  • 1.5.1

Updated:
- Rename of folder for differents lists 
- Fix of readme versioning
New :
- Hop-By-Hop check for CP-DoS 
- New list for testing HTTP Headers
Deleted :
- broken github workflow for pypi package, need re-verify

  • 1.5

Updated:
- Try to reduce fp numbers
- Adding multiple endpoints in cache_error + headerfuzz + method module
- Fixing some display bugs 

  • 1.4.1

New files: 
- modules/UAmobile.py # Change brought about by mobile user-agent
- modules/user-agent/mobile-user-agent.lst
- modules/cpdos/cache_error.py # HTTP response error cached check
- modules/technos/vercel.py
- CHANGELOG.md
Deleted:
- modules/cpdos/refererdos.py #Replace by cache_error.py