HTTP/1.1 desync attacks

• isolation between individual http requests is fundamentally broken in http/1.1
  • no reliable way to say when one request finishes and next request starts
  • multiple ways to specify request length + requests are concatenated under single connection without delimiters
• request smuggling
  • between client and application servers, request passes through multiple components such as load balancers, reverse proxies, etc.
  • HTTP request parsers inconsistency: an attacker can craft a request that one component sees as complete, but the other continues to parse into a second, malicious request made on the same connection.
  • the malicious request could inject headers and its URL into a subsequent valid request sent on the same connection.

Links

• Black Hat USA 2025 | HTTP/1.1 Must Die! The Desync Endgame
• Resolving a request smuggling vulnerability in Pingora
• HTTP/1.1 must die: the desync endgame
• CVE-2025-4366
• HTTP/1.1