From 0f32bcbf3a7dc48d9f5422799ca01b14ce6e33da Mon Sep 17 00:00:00 2001
From: Andrew Dang <andrewdang357@gmail.com>
Date: Sat, 27 Jun 2026 02:06:31 -0500
Subject: [PATCH] Reject NUL bytes in HTTP request lines

---
 cheroot/server.py         |  6 ++++++
 cheroot/test/test_core.py | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/cheroot/server.py b/cheroot/server.py
index 284cf17c72..ff1ceb1d80 100644
--- a/cheroot/server.py
+++ b/cheroot/server.py
@@ -802,6 +802,12 @@ def read_request_line(self):  # noqa: C901  # FIXME
 
         try:
             method, uri, req_protocol = request_line.strip().split(SPACE, 2)
+            if b'\x00' in request_line:
+                self.simple_response(
+                    '400 Bad Request',
+                    'Malformed Request-Line',
+                )
+                return False
             if not req_protocol.startswith(b'HTTP/'):
                 self.simple_response(
                     '400 Bad Request',
diff --git a/cheroot/test/test_core.py b/cheroot/test/test_core.py
index cd3841d428..8df2bfeee9 100644
--- a/cheroot/test/test_core.py
+++ b/cheroot/test/test_core.py
@@ -420,6 +420,17 @@ def test_garbage_in(test_client):
             raise
 
 
+def test_null_byte_in_request_line(test_client):
+    """Check that NUL bytes in the request line return Bad Request."""
+    c = test_client.get_connection()
+    c._output(b'GET /\x00 HTTP/1.1')
+    c._send_output()
+    response = _get_http_response(c, method='GET')
+    response.begin()
+    assert response.status == HTTP_BAD_REQUEST
+    c.close()
+
+
 class CloseController:
     """Controller for testing the close callback."""