Skip to main content

nghttpx CVE-2026-58055

| EUVDEUVD-2026-39975 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-06-28 VulnCheck GHSA-xrr7-82jr-v58x
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible, no auth required, but AC:H because backend must misparse the ambiguous message; scope changes as cross-client response poisoning affects other users.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 28, 2026 - 02:33 vuln.today
Analysis Generated
Jun 28, 2026 - 02:33 vuln.today
CVSS changed
Jun 28, 2026 - 02:22 NVD
5.4 (MEDIUM) 6.3 (MEDIUM)

DescriptionCVE.org

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

AnalysisAI

HTTP request/response smuggling in nghttpx (the reverse proxy component of nghttp2 through 1.69.0) allows unauthenticated remote attackers to poison shared backend keep-alive connections by crafting an HTTP/1.1 Upgrade request that simultaneously carries a Content-Length header and body. When nghttpx forwards this ambiguous message to a backend and re-adds Connection and Upgrade headers while passing Content-Length verbatim, a backend that resolves the parsing ambiguity in the attacker's favor treats the body as a separate, attacker-controlled HTTP request - enabling cross-client response-queue poisoning. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP/1.1 Upgrade request with Content-Length body
Delivery
nghttpx forwards ambiguous message on keep-alive backend connection
Exploit
Backend parser treats body as second HTTP request
Execution
Injected request processed by backend
Persist
Attacker's response placed in shared response queue
Impact
Legitimate client receives attacker-controlled or leaked response

Vulnerability AssessmentAI

Exploitation Exploitation requires that nghttpx is operating as a reverse proxy (not the HTTP/2 client or server library modes) and that backend connections are pooled and reused via HTTP keep-alive - the default configuration for nghttpx in proxy mode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 (Medium) reflects the real-world complexity of exploitation: AC:H correctly captures that the attack succeeds only when the downstream backend resolves the parsing ambiguity in the attacker's favor - not all backends are vulnerable to this specific interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP/1.1 request to nghttpx bearing both an Upgrade header and a Content-Length body whose bytes spell out a malicious HTTP request (e.g., a GET to an admin endpoint). nghttpx forwards the ambiguous message onto an existing keep-alive connection to a backend that interprets the Content-Length body as a second, pipelined HTTP request. …
Remediation The primary fix is to update nghttp2 to a version that includes upstream commit ab28105c4a0197da24f8bfc414bc116055249e1e (https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e); a specific tagged release version is not confirmed in the available data - verify with the nghttp2 project release page. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

Bug #1140917
nghttp2
Release Status Fixed Version Urgency
bullseye vulnerable 1.43.0-1+deb11u1 -
bullseye (security) vulnerable 1.43.0-1+deb11u3 -
bookworm vulnerable 1.52.0-1+deb12u2 -
bookworm (security) vulnerable 1.52.0-1+deb12u3 -
trixie vulnerable 1.64.0-1.1 -
trixie (security) vulnerable 1.64.0-1.1+deb13u1 -
forky, sid vulnerable 1.69.0-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-58055 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy