Researchers from Tsinghua University have uncovered critical vulnerabilities in the HTTP/2 protocol that allow attackers to bypass standard web security protections and execute cross-site scripting (XSS) attacks. These findings were presented at the 2025 Network and Distributed System Security (NDSS) Symposium.
New Attack Vectors: CrossPUSH and CrossSXG
The research introduces two novel attack methods, named CrossPUSH and CrossSXG, which take advantage of weaknesses in HTTP/2 server push and Signed HTTP Exchanges (SXG). These techniques allow attackers to trick browsers into accepting malicious content as if it came from trusted websites.
The flaw enables attackers to bypass the Same-Origin Policy (SOP), a core web security feature that blocks scripts from accessing content across different domains.
How the Exploit Works
The issue arises from a mismatch between how web browsers define a website’s “origin” and how HTTP/2 defines “authority.” Browsers rely on exact combinations of scheme, host, and port, while HTTP/2 treats all domains listed in a TLS certificate’s SubjectAlternativeName (SAN) as equivalent.
In a CrossPUSH attack, an attacker uses the :authority pseudo-header in HTTP/2 to push malicious content under the name of a trusted domain. For example, by pushing a script using stream.pushStream({':authority': 'victim.com'}, callback), the browser mistakenly accepts the malicious file as if it came from victim.com.
CrossSXG attacks manipulate the headers in a Signed HTTP Exchange to deliver harmful content disguised as legitimate, using false request-url and validity-url values.
Browsers and Apps Affected
Testing revealed that 11 out of 14 major browsers, including Chrome and Edge, are vulnerable to at least one of these attack types. The threat also impacts mobile apps like Instagram, WeChat, QQ Mail, Weibo, and TikTok.
The problem often comes from software libraries such as Chrome-Net, which can carry these vulnerabilities into apps even if they use more secure WebKit-based browsers.
Certificate Abuse and Domain Takeover
Attackers can easily obtain the shared certificates required for these exploits. One method involves buying and reselling domains while keeping the certificate valid. Another technique uses “dangling” DNS records to hijack subdomains and request certificates.
Researchers found over 11,000 domains in the Tranco Top 1 Million list that had been resold during the test period, and nearly 5,000 dangling domains could be exploited. Alarmingly, 829 of the world’s top 1,000 websites share certificates with less secure domains, raising the risk of widespread exploitation.
Industry Response and Recommendations
Major tech firms including Microsoft, Google, Baidu, and Huawei have acknowledged the findings and are working on security fixes. The researchers urge browser developers to enforce strict authority validation rules and restrict the use of shared certificates for SXG content.
They also recommend better certificate management and auditing practices to prevent domain misuse and to block unauthorized certificate re-use across unrelated domains.
