Request smuggling vulnerability in Proxygen

[kenballus]

I found a bug in Proxygen's HTTP parser that is usable to execute request smuggling attacks against Proxygen-based web services when they are running behind any of the following HTTP intermediary servers:

• Apache Traffic Server
• Google Cloud Classic Application Load Balancer
• Akamai

Unfortunately, I can't report this vulnerability without a Facebook account, which I don't have. Could someone from the Proxygen team please get in touch with me using email? My email address is at the bottom of my webpage.

Thanks!