Bug ID 1029897: Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,

Fixed In:
17.0.0,,,, 13.1.5

Opened: Jun 29, 2021

Severity: 3-Major

Related Article: K63312282


The BIG-IP system may pass malicious requests to server-side pool members.


Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, This could result in unauthorized data injection in HTTP requests. When the affected virtual server is configured with the OneConnect profile, a malicious actor might be able to impact the responses sent to a different client.


1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side. 2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members: a. H2.TE request line injection I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header b. Request line injection (folder traps) c. Request line injection (rule bypass)


You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.

Fix Information

This has been fixed so that client requests are appropriately rejected by BIG-IP.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips