A post-mortem of an HTTP request smuggling vulnerability discovered in Crystal's HTTP::Server. The root cause was the HTTP request parser prioritizing Content-Length over Transfer-Encoding, violating RFC 9112. This allowed attackers to inject arbitrary HTTP requests between a reverse proxy and the Crystal server, potentially bypassing authentication or access controls enforced at the proxy layer. The fix — rejecting requests with both headers and prioritizing Transfer-Encoding — was shipped in Crystal 1.20.0 and backported to 1.19.2. The practical risk was assessed as low since exploitation required a non-compliant proxy. Key lessons include the importance of RFC compliance and understanding vulnerability chains across multiple software components.
Table of contents
TimelineTechnical DetailsSeverity AssessmentMitigationLessons LearnedReferencesAcknowledgementsSort: