Erlang OTP HTTP Request Smuggling Vulnerability

A vulnerability allowing HTTP request smuggling has been identified in the inets httpd module of Erlang OTP. This issue arises because the server does not properly handle duplicate Content-Length headers. Instead of rejecting or normalizing them, the server uses the first Content-Length value for body parsing. This behavior contradicts RFC 9112 Section 6.3, which can lead to desynchronization between front-end and back-end servers. As a result, attacker-controlled bytes can be queued as the start of the next request. The vulnerability affects Erlang OTP versions 17.0 through 28.4.1, as well as 27.3.4.9 and 26.2.5.18.

Impact

Exploitation of this vulnerability can bypass authentication at the proxy layer, allowing access to protected backend resources. It can also lead to cache poisoning by desynchronizing request and response boundaries, or request hijacking by prepending smuggled requests to legitimate user requests on persistent connections.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to a server running the affected version of Erlang OTP's inets httpd module, with multiple Content-Length headers that have different values. The server will process the request using the first Content-Length value, creating a desynchronization that can be exploited.

Remediation

Users can update to Erlang OTP versions 28.4.1, 27.3.4.9, or 26.2.5.18, where this vulnerability has been patched. If an immediate update is not possible, consider configuring the frontend proxy to reject duplicate Content-Length headers, disabling HTTP keep-alive on httpd, or deploying a Web Application Firewall (WAF) to reject requests with multiple Content-Length headers.