GHSA-xhj4-vrgc-hr34: actix-http has HTTP/1.1 CL.TE Request Smuggling

April 22, 2026

A vulnerability in actix-http’s HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length.

References

github.com/actix/actix-web
github.com/actix/actix-web/releases/tag/http-v3.12.1
github.com/actix/actix-web/security/advisories/GHSA-xhj4-vrgc-hr34
github.com/advisories/GHSA-xhj4-vrgc-hr34
www.rfc-editor.org/rfc/rfc9112.html

Code Behaviors & Features

Detect and mitigate GHSA-xhj4-vrgc-hr34 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →