HTTP/2 pseudo-header server side request forgery
Description
This vulnerability exploits HTTP/2 pseudo-headers (such as :method, :path, :authority, and :scheme) to perform Server-Side Request Forgery (SSRF) attacks. Attackers can manipulate these special headers to trick the server or intermediary proxies into making unintended requests to internal resources, localhost, or external systems. This occurs when applications or proxy servers improperly handle or trust HTTP/2 pseudo-headers without adequate validation, allowing attackers to bypass security controls and access restricted network resources.
Remediation
Implement strict validation and sanitization of all HTTP/2 pseudo-headers before processing requests. Configure web servers and reverse proxies to reject or normalize malformed or suspicious pseudo-header values. Use allowlists to restrict outbound connections to only necessary external domains and IP addresses. Implement network segmentation to limit the server's access to internal resources. Deploy egress filtering to prevent the server from making requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16) and localhost. If your application requires making requests based on user input, use a dedicated sandboxed service with minimal privileges and validate all destination URLs against a strict allowlist.
Example validation approach:
// Validate and sanitize destination URLs
function isAllowedDestination(url) {
const allowedHosts = ['api.trusted-partner.com', 'cdn.example.com'];
const blockedRanges = ['127.0.0.1', '169.254.169.254', '10.', '172.16.', '192.168.'];
try {
const parsedUrl = new URL(url);
// Check against blocked IP ranges
for (const blocked of blockedRanges) {
if (parsedUrl.hostname.startsWith(blocked)) {
return false;
}
}
// Verify against allowlist
return allowedHosts.includes(parsedUrl.hostname);
} catch (e) {
return false;
}
}