CVE-2024-23452: 
Homebrew vulnerability analysis and mitigation

A request smuggling vulnerability (CVE-2024-23452) was discovered in Apache bRPC's HTTP server component affecting versions 0.9.5 through 1.7.0 across all platforms. The vulnerability was disclosed on February 8, 2024, and stems from the HTTP parser's non-compliance with the RFC-7230 HTTP 1.1 specification (NVD, Security Online).

The vulnerability arises from the http_parser's improper handling of HTTP messages containing both Transfer-Encoding and Content-Length header fields. This non-compliance with RFC-7230 HTTP 1.1 specification creates a condition where request smuggling or response splitting becomes possible. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability enables attackers to smuggle malicious requests through the system undetected. In a specific attack scenario, when a bRPC HTTP server on the backend receives requests through a persistent connection from a frontend server that uses Transfer-Encoding (TE) to parse requests, an attacker can exploit this to smuggle requests into the connection (Security Online).

Two mitigation options are available: 1) Upgrade to Apache bRPC version 1.8.0, which contains the fix for this vulnerability, or 2) Apply the patch available at GitHub PR #2518. The upgrade to version 1.8.0 is the recommended solution as it provides a comprehensive fix (NVD, GitHub Release).