Description

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

Severity (CVSS)

Base score6.3
SeverityMedium
VersionCVSS 4.0
VectorCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N
Provided byCNA

Weaknesses

  • CWE-444 — Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

VendorProductVersions
nghttp2nghttp20 to <=1.69.0

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 28 Jun 2026 07:01 UTC.