facebook/proxygen

Request smuggling vulnerability in Proxygen

kenballus opened this issue · 0 comments

I found a bug in Proxygen's HTTP parser that is usable to execute request smuggling attacks against Proxygen-based web services when they are running behind any of the following HTTP intermediary servers:

  • Apache Traffic Server
  • Google Cloud Classic Application Load Balancer
  • Akamai

Unfortunately, I can't report this vulnerability without a Facebook account, which I don't have. Could someone from the Proxygen team please get in touch with me using email? My email address is at the bottom of my webpage.

Thanks!