A critical flaw in HTTP/1.1 has put millions of websites at risk of being seized by malicious actors.

A critical vulnerability in the HTTP/1.1 protocol poses a significant threat to tens of millions of websites, enabling potential hostile takeovers through sophisticated desynchronization attacks. This fundamental flaw creates extreme ambiguity regarding the boundaries of requests, allowing attackers to manipulate web traffic and compromise entire infrastructures. The vulnerability exposes millions of websites to data theft and code injection attacks, with HTTP/2 being the only effective fix. However, major vendors, including Nginx, Akamai, CloudFront, and Fastly, currently lack support for upstream HTTP/2, leaving many sites vulnerable. PortSwigger reports that these desynchronisation attacks exploit weaknesses in HTTP/1.1’s message parsing, allowing attackers to craft malicious requests that confuse reverse proxies and backend servers. The consequences can be severe, leading to the disclosure of confidential information and users being randomly logged into other accounts.

To mitigate this vulnerability, organisations must migrate to upstream HTTP/2 connections between reverse proxies and origin servers. HTTP/2 eliminates the ambiguity that facilitates desynchronisation attacks by providing clear message boundaries and binary framing. Simply enabling HTTP/2 for client-facing connections is insufficient; the upstream connection to backend servers must also utilise HTTP/2 to prevent exploitation. For those unable to implement upstream HTTP/2 immediately, researchers recommend using the open-source HTTP Request Smuggler v3.0 tool to identify vulnerabilities and enable request validation features. Security experts emphasise that wrapping HTTP/1.1 in HTTPS does not protect against these attacks, as the vulnerability exists at the protocol level. Until major vendors implement the necessary upgrades, millions of websites remain at risk.