mtrudel Bandit HTTP Request Smuggling Vulnerability via Duplicate Content-Length Headers

A vulnerability allowing HTTP request smuggling has been identified in the mtrudel Bandit library, prior to version 1.11.0. This issue arises from an inconsistent interpretation of HTTP requests, specifically how duplicate Content-Length headers are handled. The 'Elixir.Bandit.Headers' module's 'get_content_length/1' function uses 'List.keyfind/3', which only retrieves the first matching header. When a request includes two Content-Length headers with differing values, Bandit accepts the request without error, uses the first header value to read the body, and then sends the remaining bytes as a second pipelined request over the same keep-alive connection. This behavior violates RFC 9112 §6.3, which mandates that such discrepancies be treated as unrecoverable framing errors. The vulnerability is exploitable when Bandit is behind a proxy that forwards the last Content-Length value, allowing an unauthenticated attacker to bypass edge WAF rules, path-based ACLs, rate limits, and audit logs.

Impact

Exploitation of this vulnerability leads to HTTP request smuggling, where an attacker can send requests that are improperly framed, allowing them to bypass security controls and manipulate how requests are processed by the server or application.

Reproduction

To reproduce this vulnerability, send a POST request to a Bandit server with two Content-Length headers: one indicating a length of 0 and the other indicating a length of 43. The body of the request should contain a smuggled GET request line. If Bandit is running on a server behind a proxy that forwards the last Content-Length value, the smuggled request will be processed as a separate request on the same connection, effectively bypassing any applied access controls.

Remediation

Users can update to Bandit version 1.11.0 or later, where this vulnerability has been fixed.