Reverse proxy misrouting through HTTP/2 pseudo-headers (SSRF)
Description
This vulnerability occurs when a reverse proxy forwards HTTP/2 pseudo-headers (such as :authority, :path, :method, or :scheme) without proper validation, and the backend application uses these headers for request routing. An attacker can manipulate these pseudo-headers to force the server to make requests to arbitrary internal or external destinations, resulting in Server-Side Request Forgery (SSRF). This allows unauthorized access to internal resources, services behind firewalls, or cloud metadata endpoints that should not be publicly accessible.
Remediation
Implement strict validation and sanitization of HTTP/2 pseudo-headers at the reverse proxy level before forwarding requests to backend applications. Configure your reverse proxy to reject or normalize malformed or suspicious pseudo-header values.
For Nginx, ensure proper configuration:
# Explicitly define allowed host values
map $http_host $allowed_host {
default 0;
"example.com" 1;
"www.example.com" 1;
}
server {
listen 443 ssl http2;
# Reject requests with disallowed hosts
if ($allowed_host = 0) {
return 444;
}
# Use explicit proxy headers instead of relying on pseudo-headers
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}For Apache with mod_proxy:
# Enable strict header validation
ProxyPreserveHost Off
# Explicitly set forwarded headers
RequestHeader set X-Forwarded-Host "%{HTTP_HOST}e"
RequestHeader set X-Forwarded-Proto "https"Additionally, ensure backend applications do not blindly trust routing headers. Implement allowlists for valid routing destinations and validate all header values against expected patterns before using them for request routing decisions.