OptionsBleed Went Unnoticed for Over Three Years Since First Described by WS-DL Researchers

Web Science and Digital Libraries researchers at Old Dominion University, USA, inadvertently documented #OptionsBleed in a technical report more than three years before it was known.


  1. We, at Web Science and Digital Libraries (WS-DL) Research Lab, Old Dominion University, USA, published a technical report on arXiv.org in May, 2014, about the support for various HTTP methods on the web. In one section of the paper we described various malformed "Allow" headers with some hand-picked illustrations.
  2. Fast forward three and a half years, Hanno Böck from the Fuzzing Project noticed similar malformed Allow headers in his experiment. He realized that one of those malformations could possibly be a use-after-free vulnerability, similar to Heartbleed. He investigated the root cause and named the vulnerability as Optionsbleed which was recognized as CVE-2017-9798.
  3. I, Sawood Alam, read the security vulnerability announcement and realized that it is talking about the issue we observed and published before. So, I commented there with the link to our technical report. Hanno took notice of it and wrote a follow-up post.
  4. However, we acknowledge that although we noticed malformed "Allow" headers and documented them, we did not realize it as a potential security vulnerability, instead, we though it was just some configuration weirdness.
  5. Many technology and security related news sites and blogs covered this story in various languages.