CVE-2023-32762 - Qt Network HSTS Header Parsing Flaw Explained With Exploit Examples

In this post, we're diving deep into CVE-2023-32762, a major security issue affecting Qt's network module. If you use Qt (especially for embedded systems, browsers, or any app handling HTTPS), this CVE could leave your users exposed to man-in-the-middle attacks—*even when servers say not to allow insecure connections*.

Let’s see what went wrong, how you can test for it, and what code and versions are impacted.

What is CVE-2023-32762?

CVE-2023-32762 is a vulnerability in the way Qt Network handles the HTTP Strict Transport Security (HSTS) header. HSTS is a security policy sent in a response header from a server telling browsers and apps:  
*“Only ever use HTTPS, even if the user tries to connect over HTTP.”*

Qt’s affected versions failed in this when the case of the Strict-Transport-Security header didn’t match exactly. For example, if the server sent Strict-Transport-Security (RFC-compliant), everything worked; but if it sent strict-transport-security or STRICT-TRANSPORT-SECURITY, Qt would ignore the policy—leaving the app open to downgrade attacks.

6.3. through 6.5. (before 6.5.1)

Libraries and software using QtNetwork may be affected, including custom browsers, IoT devices, and productivity tools.

How did this Happen? The Root Cause

The HTTP standard says header names aren’t case sensitive. But Qt's code *messed up*: it compared the header for strict-transport-security case-sensitively.

Here’s a simplified code snippet demonstrating the issue

// Pseudocode for how Qt handled headers (before the fix)
QString hstsHeader = "Strict-Transport-Security";
QMap<QString, QString> responseHeaders = ...; // Populated from server

if (responseHeaders.contains(hstsHeader)) {
    // HSTS is enforced
    enableHSTS();
} else {
    // Oops, the header was there, but in a different case!
    disableHSTS();
}

If the response was

strict-transport-security: max-age=63072000; includeSubDomains

Qt didn't recognize it (because of the lowercase 's'). This directly violates RFC 723 §3.2 stating that header field names are case-insensitive.

Here’s how an attacker could exploit this flaw

1. Intercept Traffic:  
An attacker sits on the same network as a victim (think open Wi-Fi).

2. Spoof the HSTS Header:  
The attacker proxies server responses and changes the header to strict-transport-security.

3. Downgrade the Connection:  
After the first visit over HTTPS, the app *doesn’t record* that this domain should always use HTTPS because it missed the case-sensitive header match. If the victim tries to connect over HTTP later, Qt allows it—*exposing all the sensitive data*.

Want to see it in action? Let’s reproduce this with a simple Qt app

#include <QCoreApplication>
#include <QNetworkAccessManager>
#include <QNetworkReply>

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    QNetworkAccessManager mgr;

    QObject::connect(&mgr, &QNetworkAccessManager::finished, [&](QNetworkReply *reply) {
        auto headers = reply->rawHeaderPairs();
        for (auto header : headers) {
            if (header.first.compare("Strict-Transport-Security", Qt::CaseSensitive) == ) {
                qDebug() << "HSTS header found, enforcing.";
            }
        }
        reply->deleteLater();
        a.quit();
    });

    QNetworkRequest req(QUrl("https://your-test-server";));
    mgr.get(req);
    return a.exec();
}

Now, send a response from your server with the header in a lowercased or uppercased form. With a vulnerable Qt version, the above code will ignore strict-transport-security (lowercase), showing you the flaw.

Official Fix and Patch Links

The Qt team fixed this by making header comparisons case-insensitive. If you manage Qt-based apps, upgrade immediately:

Qt 6.2: Update to 6.2.9 or later

- Qt 6.3/6.4/6.5: Update to 6.5.1 or later

References

- Qt Security Advisory *(official page)*
- NVD entry for CVE-2023-32762
- Upstream Qt patch (GitHub) *(hypothetical; replace with real commit)*

Example fix

if (header.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == ) {
    // Now matches any case variation
    enforceHSTS();
}

Conclusion

CVE-2023-32762 is a clear reminder that *even small* mistakes, like mixing up uppercase and lowercase, can lead to *major* security failures. If you use Qt for networking, patch fast and double-check your own header handling code!

Further Reading

- HTTP Strict Transport Security (HSTS) Explained
- RFC 723 - Section 3.2 (Header case-insensitivity)
- Qt Network Module Documentation


*This article is exclusive to you! For sharing, credit the author and provide a link to original references above.*

Timeline

Published on: 05/28/2023 23:15:00 UTC
Last modified on: 06/03/2023 03:57:00 UTC