← Signals
- nghttp2
- nghttpx
- smuggling
- exploitarium
news
nghttpx HTTP/1.1 Upgrade Response Queue Poisoning
Upgrade request with Content-Length leaves backend bytes parsed as next request — smuggled response delivered to victim client on reused connection.
Summary
Upgrade request with Content-Length leaves backend bytes parsed as next request — smuggled response delivered to victim client on reused connection. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | nghttp2 v1.69.0 nghttpx (fixed ab28105c) |
| Primitive | HTTP/1.1 Upgrade + body desync on backend keep-alive |
| Impact | Cross-client response poisoning; cache confusion; same-origin content injection. |
Attack Chain
GET /upgrade + websocket body containing GET /poisoned → victim GET /victim receives smuggled payload
Mitigation
Upgrade nghttp2 past fix; disable risky Upgrade forwarding; connection isolation per client.