v2.4

Updated:

- New payloads
- Fix bugs

News:

- CFP module: change format page poisoning (html > json....)

v2.3

Updated:

- Renames files and directory
- Linting
- Fixed proxy bugs
- fixed basic_cpdos bugs

Deleted:

- tools/*
- modules/lists/lowercase-headers.lst
- modules/lists/paraminer-wordlist.lst

New:

- cache_poisoning.py 
- modules/lists/wcp_headers.lst

v2.2

Updated:

- Menu in README.md
- Add payloads
- Remake paraminer list
- Linting
- Fixed bugs

News:

- print_utils.py in utils directory

v2.1

Updated:

- Fixed cpdos_main: Reworking the source code to avoid FP and improve detection, as well as being able to send headers not authorized by the basic requests library & recreating a “fresh” session before launching the cpdos modules
- New payloads
- Fixed logic and style bug

News:

- CVE-2025-57822 module check
- Add random user-agent during cpdos to avoid overly strict waf

v2.0

New:

- HTTP proxy module, you can send behavior and confirmed request directly in burp (or other HTTP proxy) now (utils/proxy.py)
- Check CVE-2021-27577 by Claude AI
- Multiple method poisoning analysis (modules/cp_check/methods_poisoning)
	- Fat methods poisoning
	- Cross Mixed Methods CPDoS (Cross-method cache poisoning, negative caching, Mix methods)
- Origin CORS DoS by Geluchat
- Uncommon header analysis (retrieves the non-common headers from the request and replays them for testing purposes)
- Debug headers checks
- PR and push are now checked against formatting, linting, type checking, security checking and regression testing (quality workflow)
- Version handles beta versioning now
- DX : Small Test Bed to verify regression

Updated:

- setup and requirements consolidated into pyproject.toml
- dockerfile is now in sync with how hexhttp is installed
- headerfuzz dictionary was overwriting its payloads using the same key
- Banner and version concerns are now separated
- technologies module got renamed to align with class name
- Proxy and Burp options allows to specify proxy server to pass issues or whole traffic
- Fixed bugs
- Remake server_error checks
- Remake Helper (-h) & README.md
- Unrisk page checking on the last CVE
- New payloads
	- upgrade H2C DoS by Geluchat
- BIG Linting
	- Added "utils" repository
	- Moving certain files/folders/functions to linting
	- Implementation of the cli.py file to lighten hexhttp.py
- HTTP Version & protocol analysis updated
- Vhosts misconfiguration analysis updated
- Methods analysis updated
Deleted:
- Cookies reflection tests (already completed in other modules)
- vuln_notify feature never really implemented and was too platform specific

v1.9.2

News

- New cve module to check Next.js CPDoS by Zhero research and Wlayzz PoC (CVE-2025-49826)

Updated:

- Added only cache poisoning option (--ocp)
- Updated TODO list

v1.9.1

What's Changed

Updated:

- Linting of the http methods module and addition of +50 new methods to be check

v1.9

What's Changed

News

- New module to check cache poisoning via backslash transformation
- New Akamai check (https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/#How-to-prevent) + Linting

Updated:

- Cleaning and tidying up threads
- Fixed header add by -H option, now you can add multiple headers, exemple: -H "toto: titi" -H "plop: plip"
- News payloads
- Fixed bugs/FP

v1.8

What's Changed

News

- New cve module to check Next.js CPDoS Zhero research (CVE-2025-29927)
- New module to check cache poisoning via path traversal (Thanks to 0xrth !)
- Proxy features (-p option)

Updated:

- News payloads
- Fixed bugs/FP
- Linting
- requirement.txt

v1.7.6

What's Changed

News

- Check your HExHTTP version 
- New cve module to check Nuxt.js CPDoS Zhero research (CVE-2025-27415)

Updated:

- News payloads (headers, methods and http version)
- Fixed bugs/FP
- Linting