Description
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.

This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.

The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
Published: 2026-03-13
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling
Action: Apply Workaround
AI Analysis

Impact

In Erlang OTP’s inets httpd module, duplicate Content‑Length headers are not rejected or normalized. The server uses the earliest Content‑Length value for body parsing while many reverse proxies honor the last value, violating RFC 9112 Section 6.3. This discrepancy allows HTTP request smuggling, letting an attacker’s payload be interpreted as the start of the next request on the backend. The flaw is identified as CWE‑444 and can lead to unauthorized request injection or data corruption.

Affected Systems

The vulnerability affects Erlang OTP releases from 17.0 through 28.4.1, 27.3.4.9, and 26.2.5.18, corresponding to inets httpd versions 5.10 up to 9.6.1, 9.3.2.3, and 9.1.0.5. The affected product is referenced by the CPE cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:*.

Risk and Exploitability

CVSS score 7 indicates high severity, while an EPSS score of less than 1 % suggests the likelihood of exploitation remains low in the near term. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a remote attacker sending a crafted HTTP request containing duplicate Content‑Length headers directly to the vulnerable httpd instance, resulting in request smuggling and potential arbitrary request injection on the backend.

Generated by OpenCVE AI on March 19, 2026 at 17:35 UTC.

Remediation

Vendor Workaround

* Configure frontend proxy to reject requests with duplicate Content-Length headers. * Disable HTTP keep-alive on httpd by adding `{keep_alive, false}` to httpd configuration. Note: This impacts performance for clients making multiple requests. * Deploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers.

OpenCVE Recommended Actions

  • Configure your front‑end proxy to reject requests containing duplicate Content‑Length headers.
  • Disable HTTP keep‑alive on the inets httpd by adding the option {keep_alive, false} to the configuration, accepting the performance impact for clients with multiple requests.
  • Deploy a Web Application Firewall configured to reject requests with multiple Content‑Length headers.

Generated by OpenCVE AI on March 19, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Vendors & Products Erlang erlang/otp

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
Title Request smuggling via first-wins Content-Length parsing in inets httpd
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-444
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L'}

Subscriptions

Erlang Erlang/otp Erlang\/otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-03-13T16:07:56.533Z

Reserved: 2026-01-19T14:23:14.343Z

Link: CVE-2026-23941

cve-icon Vulnrichment

Updated: 2026-03-13T16:00:52.958Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:15.237

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-23941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:34Z

Weaknesses