Description

actix-http has HTTP/1.1 CL.TE Request Smuggling A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length.

Severity

Medium. This is an HTTP request smuggling vulnerability that can be triggered over the network without application-level credentials. Exploitation requires a specific proxy topology: an upstream proxy, WAF, load balancer, or similar intermediary must use Content-Length framing while forwarding the conflicting Transfer-Encoding: chunked request to an Actix backend over a reused HTTP/1.1 connection.

Affected Versions

actix-http: versions up to and including 3.12.0

Description

HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding: chunked are ambiguous and must be rejected by recipients to avoid request smuggling.

Affected versions of actix-http accepted a request with a syntactically valid Content-Length header and Transfer-Encoding: chunked on the same HTTP/1.1 message. The parser then selected chunked decoding instead of rejecting the conflicting framing signals.

In a CL.TE proxy topology, an intermediary may treat bytes after the declared Content-Length body as part of the first request, while the Actix backend stops at the terminating chunk marker and parses the remaining bytes on the backend connection as a second HTTP request. This creates a backend-side request desynchronization primitive.

The issue is limited to HTTP/1.1 request parsing.

Impact

HTTP request smuggling

Attack Vector: Network, unauthenticated.

Effect: Backend request desynchronization with low integrity impact to requests processed by the vulnerable Actix service.

Scope: Actix services using affected actix-http versions behind an HTTP/1.1 intermediary that forwards ambiguous Content-Length plus Transfer-Encoding: chunked requests and reuses backend connections.

No direct confidentiality, availability, or subsequent-system impact is scored for this advisory.

Fixed Versions

This issue is fixed in actix-http 3.12.1.

The fix rejects HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding: chunked instead of choosing one framing interpretation.

Mitigation

Users should upgrade to actix-http 3.12.1 or later.

Applications that depend on actix-http through actix-web, awc, or another Actix crate should ensure dependency resolution selects actix-http 3.12.1 or later. For example:

cargo update -p actix-http

If an immediate upgrade is not possible, configure all upstream HTTP intermediaries to reject HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding, and avoid forwarding ambiguous request framing to Actix backends.

Credits

Actix thanks mufeedvh who disclosed this issue through coordinated disclosure.

Aliases

References