HTTP Request Smuggling Affecting actix-http package, versions <3.12.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-ACTIXHTTP-16301596
- published27 Apr 2026
- disclosed22 Apr 2026
- creditmufeedvh
Introduced: 22 Apr 2026
New CVE NOT AVAILABLE CWE-444 (opens in a new tab)How to fix?
Upgrade actix-http to version 3.12.1 or higher.
Overview
actix-http is a HTTP primitives for the Actix ecosystem
Affected versions of this package are vulnerable to HTTP Request Smuggling in the HTTP/1.1 request parsing process. An attacker can cause backend request desynchronization by sending specially crafted HTTP requests containing both Content-Length and Transfer-Encoding: chunked headers, which may be interpreted differently by intermediaries and the backend, leading to processing of unintended requests. This is only exploitable if an upstream HTTP intermediary (such as a proxy, WAF, or load balancer) forwards ambiguous requests with both headers to the backend over a reused HTTP/1.1 connection.
Workaround
This vulnerability can be mitigated by configuring all upstream HTTP intermediaries to reject HTTP/1.1 requests that contain both Content-Length and Transfer-Encoding, and by avoiding forwarding ambiguous request framing to backends.