New HTTP Smuggling Technique Allows Hackers to Inject Malicious Requests

Cybersecurity researchers have uncovered a sophisticated HTTP request smuggling attack that exploits inconsistent parsing behaviors between front-end proxy servers and back-end application servers.

This newly discovered technique leverages malformed chunk extensions to bypass security controls and inject unauthorized requests into web applications, representing a significant evolution in HTTP smuggling methodologies.

The attack technique was identified through security research focused on inconsistencies in the HTTP/1.1 protocol.

Following responsible disclosure protocols, security patches have been implemented and deployed across affected systems.

Organizations maintaining current software versions are now protected against this specific attack vector, though the discovery highlights ongoing vulnerabilities in distributed web architectures.

Technical Mechanism Behind the Attack

The exploitation centers on HTTP/1.1’s chunked transfer encoding feature, which allows message bodies to be sent in segments.

According to RFC 9112, each chunk includes a size header in hexadecimal format, potentially followed by optional extensions prefixed with ...