Fastly's Resilience to HTTP/1.1 Desynchronization Attacks

On August 6, 2025, Fastly published a security status update confirming our resilience to the HTTP/1.1 desynchronization attacks disclosed at Black Hat this week by James Kettle. His comprehensive analysis, HTTP/1.1 Must Die: The Desync Endgame, unveils novel attack classes that have exposed tens of millions of websites through critical vulnerabilities in major CDN infrastructures. 

These new attack vectors leverage HTTP/1.1's "fatal flaw" of weak request boundaries and multiple length specification methods, creating extreme ambiguity that attackers can exploit for site takeover, credential hijacking, and cache poisoning.

Given the severity of these findings, the question naturally arises: Is Fastly exposed?

We're happy to share that Fastly's platform is not vulnerable to the new or previously known HTTP/1.1 desync attack vectors discovered by security researchers.

Fastly's edge cloud platform processes 1.8 trillion HTTP requests daily*. While other CDNs and platforms had critical flaws impacting customers’ websites and services, Fastly's architecture protected against these attack vectors, continuing a multi-year track record of resistance to HTTP request smuggling vulnerabilities. Fastly’s unified network stack enables consistency in how we process requests and protects customers against attacks like these. Protocols and their interactions get more complex with each passing year. However, Fastly’s proactive security efforts at the architectural level have proven prescient as the industry grapples with new attacks year after year.

Fastly's Defense to HTTP/1.1 Desynchronization

The root cause of HTTP desynchronization, also known as HTTP request smuggling, is parser discrepancy, a mismatch in how different systems interpret HTTP requests due to variations in their parsing logic. Fastly eliminates this through architectural uniformity by having a single parsing implementation across the stack, creating no room for mismatched behavior and edge cases that create vulnerabilities.

Traditional CDN architectures suffer from cascading parser differences, with each translation introducing potential vulnerabilities (such as those disclosed at Black Hat). Where competitors simply "patched" vulnerabilities only to face new variants, Fastly's defensive implementation provides lasting protection (Image 1).

We fundamentally believe that band-aid solutions put an unfair burden on customers, forcing them to source their own protections against their own vendors’ vulnerabilities. Instead, Fastly has built protection into the architecture – it’s secure by design, so security isn’t an afterthought; it’s a foundation.  

History of Related Attacks

Our commitment to exceeding security requirements in protocol specifications has provided protection. Here’s a little trip down memory lane, as identified by PortSwigger Research’s talk and blog post, for related attacks:

• 2019: Immune to original CL.TE/TE.CL attacks others fell to

• 2021: Protected against H2.CL/H2.TE, while competitors scrambled to patch

• 2022: Unaffected by CL.0 attacks through mandatory validation

• 2024: Resilient to TE.0 and funky chunks vulnerabilities

• 2025: Confirmed immunity to Expect-based and 0.CL attacks worth $350,000+ in bounties elsewhere

While for some others, load balancers remain unpatched due to "compatibility concerns," and nginx lacks a viable 0.CL protection, Fastly's strict standards enforcement eliminates entire attack classes.

Raising the Bar for Secure HTTP Handling for High-Volume Customer Traffic

Fastly's HTTP processing pipeline implements defense-in-depth through integrated components:

• Request validation at the edge: We reject ambiguous HTTP/1.1 requests immediately, before any processing begins.

• Unified HTTP parsing: One parser across all components reduces inconsistencies.

• Strict normalization: Requests are cleaned up and reconstructed before being forwarded.

• Controlled protocol translation: We handle HTTP/2 and HTTP/3 downgrades to HTTP/1.1 in a consistent, secure way.

This is a sharp contrast to the mix-and-match proxy chains used by other CDNs, where inconsistent handling of HTTP versions led to serious vulnerabilities affecting millions of websites.

We believe the Internet Engineering Task Force (IETF) standards are the floor, not the ceiling, when it comes to protecting customer traffic. Our request validation follows RFC requirements to the letter, specifically helping us prevent attacks like this.

Where other CDNs paid out over $350,000 in bug bounties for issues tied to malformed headers, Fastly’s strict validation, like rejecting malformed Expect headers outright, stopped those attacks cold.

Fastly’s architecture preserves critical security assumptions end-to-end, protecting against advanced desync attacks like 0.CL and double-desync. For example, the vulnerability that hit a competitor’s CDN, which allowed widespread response hijacking, simply wouldn’t have been effective against Fastly’s architecture.

Bottom Line: Fastly’s Enduring Security

The security community, as demonstrated by PortSwigger Research, is endlessly diligent in the identification of flaws in critical Internet infrastructure. This week’s Black Hat revelations are the latest in a long line of such important vulnerability-finding efforts. Fundamental flaws in protocols and services can regularly expose millions of websites to compromise. Fastly will keep putting architectural protections first, taking on this responsibility for our customers.

Fastly continues to monitor evolving threats and adapt its defenses to ensure the highest level of security for our customers. Your web applications are safeguarded by our proactive approach and architectural resilience.

Stay tuned for our next blog where we’ll dive deeper into the growing threats of desync attacks, HTTP/1.1 challenges, and Fastly’s unique resilience. If you’re interested to learn more about how Fastly protects your applications from evolving threats, get in touch with one of our experts today.

* As of July 31, 2023