CVE-2020-26281

Name of the Vulnerable Software and Affected Versions async-h1 versions prior to 2.3.0

Description The issue is a request smuggling vulnerability that affects webservers using async-h1 behind a reverse proxy, including Tide applications. If a server does not read the body of a request that is longer than a certain buffer length, async-h1 will attempt to read a subsequent request from the body content. This can be exploited by an adversary to craft a request that forges forwarded/x-forwarded headers, potentially misleading applications that trust these headers. Additionally, if a reverse proxy sends multiple clients' requests along the same keep-alive connection, a smuggled request could capture another user's request in its body, allowing the content to be retrieved by the adversary.

Recommendations To resolve the issue, update to async-h1 version 2.3.0 or later, as previous versions have been yanked. As a temporary workaround, consider restricting access to the async-h1 parser behind a reverse proxy to minimize the risk of exploitation.