HTTP Request Smuggling in forward-auth Plugin (CVE-2024-32638)

May 2, 2024 · One min read

For APISIX versions 3.8.0 and 3.9.0, enabling the forward-auth plugin allows APISIX to trigger illegal requests (HTTP Request Smuggling).

Problem Description

Enabling the forward-auth plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability.

Affected Versions

This issue affects Apache APISIX versions: 3.8.0 and 3.9.0.

Solution

For Apache APISIX users using versions 3.8.0 and 3.9.0, it is recommended to upgrade to versions 3.8.1, 3.9.1, or higher, in which the issue is fixed.

Vulnerability details

Severity: Low

Vulnerability public date: May 2, 2024

CVE details: https://nvd.nist.gov/vuln/detail/CVE-2024-32638

Contributor Profile

This vulnerability was discovered and reported by Brandon Arp and Bruno Green from Topsort. Thank you for your contribution to the Apache APISIX community.

HTTP Request Smuggling in forward-auth Plugin (CVE-2024-32638)

Problem Description

Affected Versions

Solution

Vulnerability details

Contributor Profile

Share

Table of Contents

Problem Description​

Affected Versions​

Solution​

Vulnerability details​

Contributor Profile​

Share

Table of Contents

Problem Description

Affected Versions

Solution

Vulnerability details

Contributor Profile