CVE-2026-58055
Received Received - Intake

HTTP Request Smuggling in nghttp2 nghttpx Proxy

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulnCheck

Description
nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-58055
EUVD
EUVD-2026-39975

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nghttp2 nghttpx 1.69.0
nghttp2 nghttpx to 1.69.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58055 is a vulnerability in nghttp2's nghttpx proxy (up to version 1.69.0) involving HTTP request/response smuggling. The issue arises when nghttpx forwards an HTTP/1.1 Upgrade request that includes a Content-Length header and a body to a backend server. The proxy re-adds the Upgrade and Connection headers and passes the Content-Length header verbatim, which can cause ambiguity in how the backend parses the message.

If the backend interprets the bytes after the header terminator as a new HTTP request rather than part of the body, an attacker can smuggle a malicious request. This leads to cross-client response queue poisoning, where a victim client reusing the same backend connection may receive the attacker's crafted response instead of the legitimate one.

The vulnerability requires specific conditions: the attacker must connect to an nghttpx HTTP/1.1 frontend, the backend must use keep-alive connections and Upgrade-oriented parsing, and the attacker must be able to delay the backend response to allow the victim's request to reuse the connection.

Impact Analysis

This vulnerability can allow an attacker to perform HTTP request/response smuggling and cross-client response queue poisoning. As a result, an attacker can inject malicious responses into the backend connection's response queue.

This means that when a legitimate client reuses the same backend connection, it may receive the attacker's crafted response instead of the expected legitimate response. This can lead to information disclosure, session hijacking, or other malicious activities depending on the attacker's payload.

The impact depends on the backend server's behavior and the attacker's ability to exploit the timing and connection reuse conditions.

Detection Guidance

This vulnerability involves HTTP/1.1 Upgrade requests containing a Content-Length header and body being forwarded by nghttpx proxy version 1.69.0, leading to HTTP request/response smuggling and cross-client response-queue poisoning.

Detection can focus on monitoring HTTP/1.1 Upgrade requests passing through nghttpx proxies, specifically looking for requests that include both Upgrade and Content-Length headers with a request body.

Commands to detect such requests might include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP traffic for Upgrade requests with Content-Length headers.

  • tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Upgrade:'
  • Use Wireshark display filter: http.request.method == "GET" and http.header.upgrade and http.header.content_length

Additionally, reviewing nghttpx proxy logs for HTTP/1.1 Upgrade requests that include Content-Length headers and bodies can help identify potential exploit attempts.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade nghttpx to a version that includes the fix from commit ab28105c, which rejects CONNECT or Upgrade requests containing Transfer-Encoding or Content-Length headers.

If upgrading is not immediately possible, consider implementing strict input validation on the proxy to block HTTP/1.1 Upgrade requests that carry Content-Length or Transfer-Encoding headers.

Additionally, monitor and restrict backend keep-alive connections and Upgrade-oriented parsing to reduce the risk of request/response smuggling.

Review and apply any vendor or project advisories related to this CVE to ensure all recommended patches and configuration changes are applied.

Compliance Impact

CVE-2026-58055 enables HTTP request/response smuggling and cross-client response-queue poisoning by exploiting ambiguous HTTP message parsing in nghttpx proxy. This can lead to unauthorized access to or manipulation of HTTP responses intended for other clients.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may allow attackers to intercept, alter, or expose sensitive data transmitted between clients and backend servers, violating data confidentiality and integrity requirements.

Therefore, organizations using affected versions of nghttpx may face increased risk of data breaches or unauthorized data exposure, which are critical concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart