Libsoup HTTP Request Smuggling Vulnerability via Duplicate Content-Length Headers

A request smuggling vulnerability has been identified in Libsoup's HTTP/1 header parsing. The issue arises because the 'soup_message_headers_append_common()' function in 'libsoup/soup-message-headers.c' appends header values without checking for duplicate or conflicting Content-Length fields. This flaw allows an attacker to send HTTP requests with multiple Content-Length headers containing different values, creating ambiguity in how the request is processed. The vulnerability affects all versions of Libsoup prior to the fix, which is available in the latest version.

Impact

Exploitation of this vulnerability leads to HTTP request smuggling, where an attacker can desynchronize a connection and send an additional request through the chain. This can bypass front-end routing or access control decisions, poison web caches, or reach internal endpoints that are not meant to be exposed.

Reproduction

The vulnerability can be reproduced by sending an HTTP/1.1 request with duplicate Content-Length headers or with both 'Transfer-Encoding: chunked' and 'Content-Length' headers. This can be done using a tool like curl, by specifying the duplicate headers and directing the request to a Libsoup server that is running and accessible.

Remediation

Users can update to the latest version of Libsoup, where this vulnerability has been fixed. Instructions for updating can be found in the Red Hat Update Catalog.