H3 HTTP Framework Request Smuggling Vulnerability

A critical HTTP request smuggling vulnerability has been identified in the H3 framework, prior to version 1.15.5. The issue arises because the 'readRawBody' function performs a strict, case-sensitive check of the 'Transfer-Encoding' header, specifically looking for 'chunked'. However, according to the RFC, this header should be treated as case-insensitive. As a result, requests with 'Transfer-Encoding' set to mixed case, such as 'ChunKed', are not properly recognized. This oversight can be exploited to desynchronize requests when the application is behind a Layer 4 proxy or a non-header-normalizing proxy, like AWS NLB or certain Node proxies, leading to classic request smuggling scenarios.

Impact

Exploitation of this vulnerability allows for HTTP request smuggling, where an attacker can send requests that are improperly handled by the server, potentially leading to desynchronization attacks. This could be used to bypass web application firewalls or interfere with other users' connections.

Reproduction

To reproduce this vulnerability, send a HTTP request to a server running H3 version 1.15.4 or earlier. Include a 'Transfer-Encoding' header with mixed case, such as 'ChunKed', and omit a 'Content-Length' header. The server will incorrectly process the request as having an empty body, leaving the actual data on the socket. If the server is behind a Layer 4 proxy that does not normalize headers, this can trigger a request smuggling attack.

Remediation

Users can upgrade to H3 version 1.15.5 or later, where this vulnerability has been fixed.