Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2596

Undertow improperly terminates the HTTP/1.1 header block

XMLWordPrintable

    • Hide

      1. Start an Undertow-based web server, such as this one: https://github.com/narfindustries/http-garden/blob/main/images/undertow/GardenServer.java
      2. Send it a request with a header block ending in `\r\r\r` instead of `\r\n\r\n`, and observe that it still responds 200:
      ```
      printf 'GET / HTTP/1.1\r\nHost: whatever\r\r\r' | ncat localhost 80
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 105
      Date: Wed, 27 Aug 2025 20:42:55 GMT

      {"uri":"Lw==","method":"R0VU","version":"SFRUUC8xLjE=","headers":[["SG9zdA==","d2hhdGV2ZXI="]],"body":""}

      ```

      Show
      1. Start an Undertow-based web server, such as this one: https://github.com/narfindustries/http-garden/blob/main/images/undertow/GardenServer.java 2. Send it a request with a header block ending in `\r\r\r` instead of `\r\n\r\n`, and observe that it still responds 200: ``` printf 'GET / HTTP/1.1\r\nHost: whatever\r\r\r' | ncat localhost 80 HTTP/1.1 200 OK Connection: keep-alive Content-Length: 105 Date: Wed, 27 Aug 2025 20:42:55 GMT {"uri":"Lw==","method":"R0VU","version":"SFRUUC8xLjE=","headers":[["SG9zdA==","d2hhdGV2ZXI="]],"body":""} ```

      Undertow allows `\r\r\r` as a header block terminator. This can be used for request smuggling with proxy servers that forwards this byte sequence, including older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer.

              ropalka Richard Opalka
              kenballus Ben Kallus (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: