GHSA-XHJ4-VRGC-HR34
Vulnerability from github – Published: 2026-04-22 14:37 – Updated: 2026-04-22 14:37A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length.
Severity
Medium.
This is an HTTP request smuggling vulnerability that can be triggered over the network without application-level credentials. Exploitation requires a specific proxy topology: an upstream proxy, WAF, load balancer, or similar intermediary must use Content-Length framing while forwarding the conflicting Transfer-Encoding: chunked request to an Actix backend over a reused HTTP/1.1 connection.
Affected Versions
actix-http: versions up to and including 3.12.0
Description
HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding: chunked are ambiguous and must be rejected by recipients to avoid request smuggling.
Affected versions of actix-http accepted a request with a syntactically valid Content-Length header and Transfer-Encoding: chunked on the same HTTP/1.1 message. The parser then selected chunked decoding instead of rejecting the conflicting framing signals.
In a CL.TE proxy topology, an intermediary may treat bytes after the declared Content-Length body as part of the first request, while the Actix backend stops at the terminating chunk marker and parses the remaining bytes on the backend connection as a second HTTP request. This creates a backend-side request desynchronization primitive.
The issue is limited to HTTP/1.1 request parsing.
Impact
HTTP request smuggling
- Attack Vector: Network, unauthenticated.
- Effect: Backend request desynchronization with low integrity impact to requests processed by the vulnerable Actix service.
- Scope: Actix services using affected
actix-httpversions behind an HTTP/1.1 intermediary that forwards ambiguousContent-LengthplusTransfer-Encoding: chunkedrequests and reuses backend connections.
No direct confidentiality, availability, or subsequent-system impact is scored for this advisory.
Fixed Versions
This issue is fixed in actix-http 3.12.1.
The fix rejects HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding: chunked instead of choosing one framing interpretation.
Mitigation
Users should upgrade to actix-http 3.12.1 or later.
Applications that depend on actix-http through actix-web, awc, or another Actix crate should ensure dependency resolution selects actix-http 3.12.1 or later. For example:
cargo update -p actix-http
If an immediate upgrade is not possible, configure all upstream HTTP intermediaries to reject HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding, and avoid forwarding ambiguous request framing to Actix backends.
Credits
Actix thanks mufeedvh who disclosed this issue through coordinated disclosure.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "actix-http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T14:37:30Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A vulnerability in `actix-http`\u0027s HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether `Content-Length` or `Transfer-Encoding: chunked` defines the request body length.\n\n## Severity\n\n**Medium**.\nThis is an HTTP request smuggling vulnerability that can be triggered over the network without application-level credentials. Exploitation requires a specific proxy topology: an upstream proxy, WAF, load balancer, or similar intermediary must use `Content-Length` framing while forwarding the conflicting `Transfer-Encoding: chunked` request to an Actix backend over a reused HTTP/1.1 connection.\n\n## Affected Versions\n\n- `actix-http`: versions up to and including **3.12.0**\n\n## Description\n\nHTTP/1.1 requests that contain both `Content-Length` and `Transfer-Encoding: chunked` are ambiguous and must be rejected by recipients to avoid request smuggling.\n\nAffected versions of `actix-http` accepted a request with a syntactically valid `Content-Length` header and `Transfer-Encoding: chunked` on the same HTTP/1.1 message. The parser then selected chunked decoding instead of rejecting the conflicting framing signals.\n\nIn a CL.TE proxy topology, an intermediary may treat bytes after the declared `Content-Length` body as part of the first request, while the Actix backend stops at the terminating chunk marker and parses the remaining bytes on the backend connection as a second HTTP request. This creates a backend-side request desynchronization primitive.\n\nThe issue is limited to HTTP/1.1 request parsing.\n\n## Impact\n\n**HTTP request smuggling**\n\n* **Attack Vector:** Network, unauthenticated.\n* **Effect:** Backend request desynchronization with low integrity impact to requests processed by the vulnerable Actix service.\n* **Scope:** Actix services using affected `actix-http` versions behind an HTTP/1.1 intermediary that forwards ambiguous `Content-Length` plus `Transfer-Encoding: chunked` requests and reuses backend connections.\n\nNo direct confidentiality, availability, or subsequent-system impact is scored for this advisory.\n\n## Fixed Versions\n\nThis issue is fixed in **actix-http 3.12.1**.\n\nThe fix rejects HTTP/1.1 requests that contain both `Content-Length` and `Transfer-Encoding: chunked` instead of choosing one framing interpretation.\n\n## Mitigation\n\nUsers should upgrade to **actix-http 3.12.1** or later.\n\nApplications that depend on `actix-http` through `actix-web`, `awc`, or another Actix crate should ensure dependency resolution selects `actix-http` 3.12.1 or later. For example:\n\n```bash\ncargo update -p actix-http\n```\n\nIf an immediate upgrade is not possible, configure all upstream HTTP intermediaries to reject HTTP/1.1 requests that contain both `Content-Length` and `Transfer-Encoding`, and avoid forwarding ambiguous request framing to Actix backends.\n## Credits\n\nActix thanks [mufeedvh](https://github.com/mufeedvh) who disclosed this issue through coordinated disclosure.",
"id": "GHSA-xhj4-vrgc-hr34",
"modified": "2026-04-22T14:37:30Z",
"published": "2026-04-22T14:37:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/actix/actix-web/security/advisories/GHSA-xhj4-vrgc-hr34"
},
{
"type": "PACKAGE",
"url": "https://github.com/actix/actix-web"
},
{
"type": "WEB",
"url": "https://github.com/actix/actix-web/releases/tag/http-v3.12.1"
},
{
"type": "WEB",
"url": "https://www.rfc-editor.org/rfc/rfc9112.html#name-message-body-length"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "actix-http has HTTP/1.1 CL.TE Request Smuggling "
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.