Skip to main content

HTTP Request Smuggling in forward-auth Plugin (CVE-2024-32638)

· One min read

For APISIX versions 3.8.0 and 3.9.0, enabling the forward-auth plugin allows APISIX to trigger illegal requests (HTTP Request Smuggling).

Problem Description

Enabling the forward-auth plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability.

Affected Versions

This issue affects Apache APISIX versions: 3.8.0 and 3.9.0.


For Apache APISIX users using versions 3.8.0 and 3.9.0, it is recommended to upgrade to versions 3.8.1, 3.9.1, or higher, in which the issue is fixed.

Vulnerability details

Severity: Low

Vulnerability public date: May 2, 2024

CVE details:

Contributor Profile

This vulnerability was discovered and reported by Brandon Arp and Bruno Green from Topsort. Thank you for your contribution to the Apache APISIX community.