Description
nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.
Published: 2026-06-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

nghttp2's nghttpx proxy forwards an HTTP/1.1 Upgrade request that includes a Content-Length header and body to backend connections. The proxy re‑adds Upgrade and Connection headers but passes the original Content-Length verbatim. This practice corresponds to CWE-444 (Fragmentation of HTTP Requests). If a backend interprets the resulting ambiguous message in the attacker's favor, it can enable HTTP request/response smuggling and cross‑client response‑queue poisoning, potentially allowing an attacker to inject or manipulate data seen by other clients.

Affected Systems

nghttp2 nghttpx users running version 1.69.0 or earlier are affected. The vulnerability applies to all builds of nghttp2 that use the nghttpx proxy component before the mentioned version.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in KEV, suggesting limited known exploitation. The likely attack vector requires an external attacker to send a crafted HTTP/1.1 Upgrade request to the proxy with a Content-Length header and body, and a backend that resolves the ambiguous message in the attacker's favor. The risk is therefore moderate and contingent on the presence of a susceptible backend.

Generated by OpenCVE AI on June 28, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nghttpx to a version released after 1.69.0
  • Configure the proxy to strip or reject Content-Length headers on Upgrade requests, or otherwise modify the wiring so that the proxy does not forward conflicting headers
  • Monitor proxy logs for unexpected request patterns or mixed response queues that may indicate smuggling attempts

Generated by OpenCVE AI on June 28, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.
Title nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length
First Time appeared Nghttp2
Nghttp2 nghttp2
Weaknesses CWE-444
CPEs cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*
Vendors & Products Nghttp2
Nghttp2 nghttp2
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Nghttp2 Nghttp2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-28T01:32:57.163Z

Reserved: 2026-06-28T00:55:25.426Z

Link: CVE-2026-58055

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T04:00:12Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')