The vulnerability in mtrudel bandit stems from the function 'Elixir.Bandit.Headers':get_content_length/1, which uses List.keyfind/3 to retrieve the Content-Length header but only considers the first occurrence. When an HTTP request contains two Content-Length headers with differing values, Bandit reads the body length based on the first header and treats the remaining bytes as a second pipelined request. According to RFC 9112 §6.3, such inconsistent headers should cause the recipient to reject the request as a framing error. However, if Bandit is behind a proxy that uses the last Content-Length header and forwards the request, attackers can exploit this discrepancy to smuggle HTTP requests past security mechanisms like edge WAFs, path-based ACLs, rate limiting, and audit logging. This vulnerability affects all versions of bandit before 1.11.0. No patch or official remediation level has been announced as of the publication date.

An unauthenticated attacker can exploit this vulnerability to smuggle HTTP requests past security controls such as web application firewalls, access control lists, rate limiting, and audit logging. This can lead to unauthorized access, bypass of security policies, and potential further exploitation depending on the backend application. The impact is limited to scenarios where Bandit is deployed behind a proxy that interprets duplicate Content-Length headers differently, enabling request smuggling attacks.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider deploying additional proxy or WAF configurations that reject or normalize requests with multiple conflicting Content-Length headers to prevent request smuggling. Monitoring for unusual request patterns involving duplicate Content-Length headers may also help detect exploitation attempts.