New disclosure: CL.TE HTTP request smuggling in OpenBSD relayd.Latent in relay_http.c since 2012 (OpenBSD 5.2). The body was parsed as chunked but a co-present Content-Length header wasn't stripped be
from ethicalhacker@infosec.exchange to (none) on 04 Jun 08:22
https://infosec.exchange/users/ethicalhacker/statuses/116692521669013389
from ethicalhacker@infosec.exchange to (none) on 04 Jun 08:22
https://infosec.exchange/users/ethicalhacker/statuses/116692521669013389
New disclosure: CL.TE HTTP request smuggling in OpenBSD relayd.
Latent in relay_http.c since 2012 (OpenBSD 5.2). The body was parsed as chunked but a co-present Content-Length header wasn't stripped before forwarding to backend, contrary to RFC 9112 ยง6.1.
Found by a targeted source-review pass against the RFC framing rules. Fixed in -current 2026-06-03 in a single commit.
https://stuart-thomas.com/research/relayd-cl-te-smuggling/
#infosec #OpenBSD #vulndisclosure
threaded - newest