h2 HTTP/2 Request Splitting Vulnerability Allowing Request Smuggling

A request splitting vulnerability has been identified in the h2 library, which is a pure-Python implementation of an HTTP/2 protocol stack. This vulnerability, present in versions prior to 4.3.0, allows attackers to perform request smuggling attacks by injecting carriage return and line feed (CRLF) characters into HTTP headers. The issue arises when servers improperly downgrade HTTP/2 requests to HTTP/1.1, failing to validate header names and values correctly. This oversight enables manipulation of request boundaries, allowing attackers to bypass security controls.

Impact

Exploitation of this vulnerability leads to HTTP/2 request splitting, allowing for request smuggling attacks. Such attacks can manipulate the way requests are processed by the server, potentially bypassing security measures and causing desynchronization between the front-end and back-end servers.

Reproduction

The vulnerability can be reproduced by sending HTTP/2 requests that include CRLF characters in the headers. This can be done using a tool that supports HTTP/2 protocol manipulation, such as a custom script or a specialized HTTP client. The server must be configured to downgrade HTTP/2 requests to HTTP/1.1 without proper header validation, which can be tested by observing how the server processes the injected CRLF characters.

Remediation

Users can upgrade to h2 version 4.3.0 or later, where this vulnerability has been patched.