Le 18/01/2026 à 9:23 PM, Rajat Raghav a écrit :
## Vulnerability
## Attack Scenario
```
┌──────────┐ ┌─────────────┐ ┌─────────────┐
│ Attacker │ ──1──▶ │ [PROXY] │ ──2──▶ │ Backend │
│ │ │ (VULNERABLE)│ │ (nginx) │
└──────────┘ └─────────────┘ └─────────────┘
Hi,
With this setup, the extensions are just dropped during the parsing. Nginx will
never see them. Now, as Willy said, these extensions are not parsed at all by
HAProxy. However, I don't see any way to exploit it (at least, it is not
obvious). HAProxy will see 2 requests and NGinx will reply to these both
requests. So there is no smuggling. And any control that should be performed on
the first request will be properly done. The same on the second request.
So now, we can argue the chunk extensions should be parsed to reply
400-bad-request in that case. But honestly I don't see the point.
--
Christopher Faulet
