Intel

AIKIDO-2026-267343

httpxy is vulnerable to HTTP Request Smuggling

HTTP Request Smuggling Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

63

Medium Risk

This Affects:

JShttpxy
0.5.0 - 0.5.4
Fixed in 0.5.5
Are you affected? Scan for Free

TL;DR

httpxy proxies HTTP requests to upstream servers and, since default keep-alive agents were enabled, reuses upstream sockets across requests. Before the fix, an outgoing request carrying a transfer-encoding (chunked) header could reuse an upstream keep-alive socket, so a request-boundary disagreement at a lenient upstream could desynchronize the connection and let a smuggled request poison a later user's response. The 307/308 redirect replay path and a Connection: upgrade combined with a chunked body shared the same weakness. The fix adds a forceConnectionCloseForTransferEncoding helper and forces connection: close on every outgoing path whenever the request carries transfer-encoding, so the upstream socket is torn down after use and cannot be reused.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

httpxy is vulnerable to HTTP Request Smuggling in versions 0.5.0 - 0.5.4.

How to fix this

Upgrade the httpxy library to the patch version.