Full Report
HTTP Smuggling is the process of two HTTP parsers parsing data differently and this difference being able to smuggle unintended data through the pipeline. A simple example would be Nginx alongside NodeJS; both implementations need to parse the data. HTTP trailers are extra header fields transmitted after the body in a chunked transfer encoding in HTTP/1.1. Although they are defined in the specification, they are rarely used in practice, besides gRPC. Many servers, such as HAProxy, simply ignore or discard trailers altogether. The specification specifically states that only an allowlist of headers should be mergeable, such as the Digest. But anything else, such as the content length, must be ignored. By abusing implementations that simply merge all headers, it's possible to bypass various security protections. For instance, you can spoof the host header or smuggle in the x-forwarded-for header. An additional attack vector is manipulating request boundaries by smuggling in Content-Length or Transfer-Encoding headers. lighthttpd merged trailers post-dechunking. This allowed overwriting Content-Length to change the packet's meaning entirely. This project adds an extra Connection: close to make it not useful, though. There's a theoretical workaround for this, but I'm unsure how practical it is. Some HTTP servers will only close if it's the only entry. If lighthttpd sees a TE encoding, it will add it to the connection header. If the downstream server ignores the close because of this extra value, the smuggling is still possible. Apache Traffic Server and Pound to not validate trailers, allowing for hidden HTTP headers to be added. EventLet, after reading the chunked body of an HTTP request, skips trailer parsing entirely. If the front-end server sees the request with trailers but eventlet ignores them, this forces eventlet parse an additional request. In http4s, the trailer parser terminates early. If a trailer header doesn't contain a colon, parsing completely stops. This again makes the server parse more than one request from the original request. Overall, using HTTP garden, they found 13 variations of this across HTTP servers. Some were just header smuggling, while others were real request smuggling. Most HTTP clients do not support trailers. To do this research, the author had to create a tool. They even have an intentionally vulnerable app to play around with and a CTF challenge too. The post seems to take inspiration from this post but just takes it a step further. It pays to create unique tooling and read on what else is happening in the space. Great work!
Analysis Summary
# Research: Trailing Danger: Exploring HTTP Trailer Parsing Discrepancies
## Metadata
- **Authors:** Sebsrt (Sebastianosrt)
- **Institution:** Independent / Cybersecurity Researcher
- **Publication:** sebsrt.xyz
- **Date:** January 2025 (Reflecting recent CVE-2025 disclosures)
## Abstract
This research investigates the security implications of HTTP trailers—metadata fields transmitted after the message body in chunked transfer encoding (HTTP/1.1) or final headers frames (HTTP/2/3). While rarely used outside gRPC, trailers are handled inconsistently across HTTP implementations. The study reveals how "Trailer Merging" and parsing discrepancies allow attackers to bypass security controls via header smuggling and request smuggling, affecting 13 variations across major servers and libraries.
## Research Objective
The study aims to determine if the inconsistent implementation and optional "merging" of HTTP trailers (as permitted by RFC 9112) can be weaponized to bypass security intermediaries (WAFs, Rev-Proxies) or desynchronize HTTP pipelines.
## Methodology
### Approach
The researcher conducted a systematic differential analysis ("HTTP Gardening") of how various open-source HTTP libraries, servers, and proxies process trailers. The focus was on identifying discrepancies between front-end (downstream) and back-end (upstream) components.
### Dataset/Environment
The researcher tested a wide array of implementations, including:
- **Proxies/Load Balancers:** HAProxy, Apache Traffic Server, Pound, Nginx.
- **Web Servers/Libraries:** lighttpd, NodeJS, http4s, Eventlet, Cheroot, Eclipse Glassfish, and cpp-httplib.
### Tools & Technologies
- **riphttp:** A custom-developed tool to send requests with trailers across all HTTP versions (since most standard clients lack support).
- **riphttplib:** A specialized library for protocol security testing that allows for the creation of non-RFC-compliant, malformed HTTP requests.
- **Trailer-Merge-Lab:** A vulnerable environment created for testing and reproduction.
## Key Findings
### Primary Results
1. **Trailer Merge (TR.MRG) Smuggling:** Many implementations (e.g., lighttpd, cpp-httplib) merge trailer fields into the main header section post-processing. This allows attackers to "hide" dangerous headers (like `Host` or `X-Forwarded-For`) in the trailers, where they are invisible to initial security filters but become active once merged by the back end.
2. **Request Boundary Manipulation:** In `lighttpd 1.4`, merging trailers allowed overwriting the `Content-Length` header, effectively changing the packet's meaning entirely after it passed the front-end proxy.
3. **Unparsed/Skipped Trailers:** Some servers (Eventlet, Cheroot) skip trailer parsing entirely after reading a chunked body. If a front-end forwards trailers but the back-end ignores the chunk terminator because of them, it leads to Request Smuggling.
4. **Early Parsing Termination:** In `http4s`, the parser stops if a trailer lacks a colon ( malformed header), causing the server to interpret the remainder of the packet as a second, separate request.
### Supporting Evidence
- **13 distinct vulnerabilities** were identified across various HTTP stacks.
- **CVEs Issued:** Including CVE-2025-12642 (lighttpd), CVE-2025-53628 (cpp-httplib), CVE-2025-58068 (http4s), and CVE-2025-59822 (eventlet).
### Novel Contributions
- Identification of the **"Hide-Merge-Smuggle"** pattern specifically utilizing the trailer-to-header merging behavior allowed by RFC 9112.
- Development of **riphttp**, filling a tooling gap for researchers to test trailer-based delivery.
## Technical Details
The most critical vulnerability category exists where a server performs **Post-Dechunking Merging**. In HTTP/1.1 chunked encoding, the trailers follow a `0\r\n` terminator. If a server (like lighttpd) merges these into the request's internal header map, an attacker can send:
`POST / HTTP/1.1` -> `Transfer-Encoding: chunked` -> `[Body]` -> `0\r\n` -> `Content-Length: 0\r\n`.
If the server updates its internal state with this new `Content-Length`, the subsequent data in the TCP stream is treated as a new request, desynchronizing the connection.
## Practical Implications
### For Security Practitioners
- Traditional WAFs that only inspect the initial header block will fail to see headers "snuck" in via trailers.
- Security policies relying on `X-Forwarded-For` or `Host` headers can be bypassed if the back-end merges trailers.
### For Defenders
- **Strict Validation:** Configure proxies to strip trailers unless specifically required (e.g., for gRPC).
- **Protocol Consistency:** Ensure that front-end and back-end servers handle the `Connection` header and trailer fields identically.
- **Patching:** Update servers listed (lighttpd, http4s, etc.) to versions that explicitly ignore sensitive headers in trailers.
### For Researchers
- The "Trailer Merge" attack vector suggests other "ignored" or "legacy" RFC sections warrant re-examination for modern smuggling techniques.
## Limitations
- **Tooling:** Most standard penetration testing tools do not support trailer injection, making these bugs hard to find without custom scripts.
- **Practicality:** Some identified vectors (like lighttpd) required specific configurations or multiple discrepancies (like the `Connection: close` workaround) to be fully exploitable.
## Comparison to Prior Work
This research builds upon the concept of HTTP Request Smuggling ( popularized by PortSwigger/James Kettle) but shifts focus from `CL.TE` / `TE.CL` to the **Trailer section**, a significantly less explored area of the HTTP lifecycle.
## Real-world Applications
- **Access Control Bypass:** Spoofing headers to trick an application into thinking a request is local or authenticated.
- **Cache Poisoning:** Smuggling a second request to associate a malicious response with a legitimate URL in a front-end cache.
## Future Work
- Systematic testing of HTTP/2 `HEADERS` frames (trailers) and their interaction with HTTP/1.1 back-ends (downgrading attacks).
- Investigation of cloud-native load balancers (AWS ALB, Google Cloud LB) and their handling of trailer merging.
## References
- RFC 9112 (HTTP/1.1)
- [riphttp GitHub Repository](https://github.com/sebastianosrt/riphttp)
- [Trailer-Merge-Lab](https://github.com/sebastianosrt/Trailers-Merge-Lab)
- CVE-2025-12642, CVE-2025-58068, CVE-2025-59822