libsoup Duplicate Host Header Handling Vulnerability Leading to Request Smuggling and Cache Poisoning

A vulnerability in libsoup's handling of HTTP headers allows the inclusion of multiple Host headers in a request, with the last occurrence being processed by the server. This can create discrepancies with common front proxies that typically honor the first Host header, leading to virtual host confusion. As a result, a proxy might route a request to one backend, while the backend interprets it as intended for a different host. This vulnerability can be exploited to perform request-smuggling attacks, poison caches, or bypass host-based access controls by manipulating duplicate Host headers.

Impact

Exploitation of this vulnerability can cause virtual host confusion, allowing for cache poisoning, request-smuggling attacks, or bypassing host-based access controls.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with multiple Host headers. A front proxy that honors the first Host header should route the request to a backend server. However, the backend server, using libsoup, will process the last Host header, creating a mismatch that can be exploited.