OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • nghttp2
  • nghttpx
  • smuggling
  • exploitarium

news

nghttpx HTTP/1.1 Upgrade Response Queue Poisoning

Upgrade request with Content-Length leaves backend bytes parsed as next request — smuggled response delivered to victim client on reused connection.

Summary

Upgrade request with Content-Length leaves backend bytes parsed as next request — smuggled response delivered to victim client on reused connection. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetnghttp2 v1.69.0 nghttpx (fixed ab28105c)
PrimitiveHTTP/1.1 Upgrade + body desync on backend keep-alive
ImpactCross-client response poisoning; cache confusion; same-origin content injection.

Attack Chain

GET /upgrade + websocket body containing GET /poisoned → victim GET /victim receives smuggled payload

Mitigation

Upgrade nghttp2 past fix; disable risky Upgrade forwarding; connection isolation per client.

Related Signals

Sources

→ Source