SecurityWeek reports that multiple major organizations, popular content delivery networks, and websites have been compromised with new versions of the HTTP request smuggling attack technique, also known as desync attack, which involves the delivery of malicious requests to facilitate session theft, web cache poisoning, or phishing site redirections.
HTTP/1.1 vulnerabilities and the 0.CL attack method have been leveraged in the novel HTTP request smuggling variant, which was found to affect T-Mobile and GitLab servers, as well as Netlify CDN systems, according to a PortSwigger research presented at Black Hat USA 2025. Organizations using Akamai's CDN and millions of websites using Cloudflare were also impacted by the attack. Identifying and disclosing the security issue resulted in $276,000 in bug bounties for the PortSwigger researchers. Meanwhile, such emergence of a new HTTP request smuggling intrusion should prompt organizations to transition to the more robust HTTP/2+ protocol, said PortSwigger Director of Research James Kettle.
HTTP/1.1 vulnerabilities and the 0.CL attack method have been leveraged in the novel HTTP request smuggling variant, which was found to affect T-Mobile and GitLab servers, as well as Netlify CDN systems, according to a PortSwigger research presented at Black Hat USA 2025. Organizations using Akamai's CDN and millions of websites using Cloudflare were also impacted by the attack. Identifying and disclosing the security issue resulted in $276,000 in bug bounties for the PortSwigger researchers. Meanwhile, such emergence of a new HTTP request smuggling intrusion should prompt organizations to transition to the more robust HTTP/2+ protocol, said PortSwigger Director of Research James Kettle.
