A critical vulnerability in HTTP/2 protocol implementations that allows attackers to bypass web security protections and execute arbitrary cross-site scripting (XSS) attacks against major websites.
At the Network and Distributed System Security (NDSS) Symposium 2025, Tsinghua University researchers presented their findings, which identify two new attack vectors dubbed “CrossPUSH” and “CrossSXG” that exploit fundamental weaknesses in HTTP/2 server push and Signed HTTP Exchange (SXG) mechanisms.
The attacks enable off-path attackers to circumvent the Same-Origin Policy (SOP), a cornerstone security mechanism designed to prevent malicious scripts from accessing data across different domains.
.png
)
By exploiting shared TLS certificates and manipulating HTTP/2 authority headers, attackers can deliver malicious content that browsers incorrectly accept as legitimate same-origin resources.
HTTP/2 Authority Confusion Enables Cross-Origin Attacks
The vulnerability stems from a fundamental discrepancy between how browsers define “origin” versus how HTTP/2 defines “authority.”
While browsers use strict URI scheme/host/port tuples for same-origin policies, HTTP/2 considers any domain listed in the SubjectAlternativeName (SAN) of a TLS certificate as having the same authority.
In CrossPUSH attacks, malicious servers exploit the :authority pseudo-header in HTTP/2 server push streams.
Attackers can push resources claiming authority for victim domains by setting the :authority header to any domain listed in their shared certificate.
When users later visit the victim site, browsers serve the cached malicious content instead of requesting it from the legitimate server.
The attack implementation is straightforward using Node.js HTTP/2 frameworks: stream.pushStream({‘:authority’: ‘victim.com’}, callback) allows attackers to push malicious scripts that browsers accept as originating from victim.com.
Similarly, CrossSXG attacks manipulate the request-url and validity-url headers in Signed HTTP Exchanges to falsely present attacker-controlled content as originating from victim domains.
Browser and Application Vulnerabilities
Large-scale testing revealed alarming vulnerability rates across popular platforms. Researchers found that 11 out of 14 major browsers, including Chrome and Edge, are vulnerable to at least one attack variant.
The threat extends beyond browsers to mobile applications, with popular apps like Instagram, WeChat, QQ Mail, Weibo, and TikTok all showing susceptibility to these attacks.
The research identified that vulnerable software libraries, particularly Chrome-Net, can expose applications to attacks even when they use supposedly secure WebKit implementations.
This supply chain vulnerability means that security dependencies cascade through multiple applications and platforms.
The researchers demonstrated multiple practical methods for acquiring the shared certificates necessary for these attacks.
Domain reselling operations allow attackers to register domains, issue shared certificates, then sell the domains while retaining certificate control.
Domain takeover techniques exploit dangling DNS records pointing to discontinued services, enabling certificate acquisition for victim domains.
Measurements revealed over 11,741 domains in the Tranco Top 1M list had been resold within the attack window, while 4,919 dangling domains could be exploited for certificate acquisition.
Most concerning, 829 of the top 1,000 websites share certificates with lower-ranked, potentially less secure domains.
Security vendors including Huawei, Baidu, Microsoft, and Google have acknowledged the research findings and are implementing fixes.
The researchers recommend enforcing consistent authority validation in browsers, restricting shared certificates for SXG, and improving certificate management practices to mitigate these sophisticated cross-origin attack vectors.
