Skip to content

Update Rust crate actix-http to v3.12.1 [SECURITY]#194

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/crate-actix-http-vulnerability
Open

Update Rust crate actix-http to v3.12.1 [SECURITY]#194
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/crate-actix-http-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actix-http dependencies patch 3.12.03.12.1

actix-http has HTTP/1.1 CL.TE Request Smuggling

GHSA-xhj4-vrgc-hr34

More information

Details

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length.

Severity

Medium.
This is an HTTP request smuggling vulnerability that can be triggered over the network without application-level credentials. Exploitation requires a specific proxy topology: an upstream proxy, WAF, load balancer, or similar intermediary must use Content-Length framing while forwarding the conflicting Transfer-Encoding: chunked request to an Actix backend over a reused HTTP/1.1 connection.

Affected Versions
  • actix-http: versions up to and including 3.12.0
Description

HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding: chunked are ambiguous and must be rejected by recipients to avoid request smuggling.

Affected versions of actix-http accepted a request with a syntactically valid Content-Length header and Transfer-Encoding: chunked on the same HTTP/1.1 message. The parser then selected chunked decoding instead of rejecting the conflicting framing signals.

In a CL.TE proxy topology, an intermediary may treat bytes after the declared Content-Length body as part of the first request, while the Actix backend stops at the terminating chunk marker and parses the remaining bytes on the backend connection as a second HTTP request. This creates a backend-side request desynchronization primitive.

The issue is limited to HTTP/1.1 request parsing.

Impact

HTTP request smuggling

  • Attack Vector: Network, unauthenticated.
  • Effect: Backend request desynchronization with low integrity impact to requests processed by the vulnerable Actix service.
  • Scope: Actix services using affected actix-http versions behind an HTTP/1.1 intermediary that forwards ambiguous Content-Length plus Transfer-Encoding: chunked requests and reuses backend connections.

No direct confidentiality, availability, or subsequent-system impact is scored for this advisory.

Fixed Versions

This issue is fixed in actix-http 3.12.1.

The fix rejects HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding: chunked instead of choosing one framing interpretation.

Mitigation

Users should upgrade to actix-http 3.12.1 or later.

Applications that depend on actix-http through actix-web, awc, or another Actix crate should ensure dependency resolution selects actix-http 3.12.1 or later. For example:

cargo update -p actix-http

If an immediate upgrade is not possible, configure all upstream HTTP intermediaries to reject HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding, and avoid forwarding ambiguous request framing to Actix backends.

Credits

Actix thanks mufeedvh who disclosed this issue through coordinated disclosure.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants