Redazione RHC : 8 August 2025 17:10
A critical security flaw in HTTP/1.1 has been disclosed by security experts, highlighting a threat that has continued to impact web infrastructure for more than six years, potentially impacting millions of sites despite ongoing efforts to contain it. PortSwigger researchers reveal that HTTP/1.1 remains inherently insecure, regularly exposing millions of websites to hostile takeover attempts via sophisticated HTTP desynchronization attacks.
The cybersecurity firm reported the introduction of several new types of such attacks, exposing critical flaws, affecting tens of millions of websites and undermining the core infrastructure within multiple content delivery networks (CDNs). Despite vendors’ efforts, which have implemented various containment strategies over the past six years, researchers have consistently been able to overcome protective barriers.
The threat was first disclosed by PortSwigger in 2019, but only minimal changes have been made to the underlying cause of the vulnerability. A critical design flaw in HTTP/1.1 is at the root of the problem: the protocol allows attackers to create extreme ambiguity about where one request ends and where the next begins.
This ambiguity allows attackers to vary the boundaries of requests, thus generating request smuggling attacks that can undermine the integrity of entire web applications and the infrastructure that supports them. These attacks exploit differences in how different servers and proxy systems interpret HTTP requests, allowing attackers to insert malicious requests that appear legitimate to security systems, but actually perform malicious operations on backend servers.
Later versions of HTTP/2 essentially remove any fundamental ambiguity, effectively making desynchronization attacks very difficult. However, security experts point out that enabling HTTP/2 only on edge servers is insufficient. Implementing HTTP/2 for direct connections to origin servers through reverse proxies is crucial, as many vulnerabilities remain due to the continued reliance on HTTP/1.1.
PortSwigger has launched a comprehensive initiative titled “HTTP/1.1 Must Die: The Desync Endgame,” urging organizations to abandon the vulnerable protocol. The research includes practical recommendations for immediate implementation, including enabling upstream HTTP/2 support and ensuring origin servers can handle the latest protocol.
For organizations still relying on HTTP/1.1, the researchers recommend implementing available request validation and normalization capabilities on front-end systems, considering disabling upstream connection reuse, and actively working with vendors regarding HTTP/2 support timelines.
This vulnerability affects a broad spectrum of web infrastructure, from individual websites to major CDN providers, highlighting the urgent need for industry-wide adoption of modern HTTP protocols to ensure web security.