Reported

June 16, 2021

Issued

August 10, 2021 (last modified: June 13, 2023)

Package

actix-http (crates.io)

Type

Vulnerability

Keywords

#smuggling #http #reverse-proxy #request-smuggling

Aliases

• CVE-2021-38512
• GHSA-8928-2fgm-6x9x

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Patched

• ^2.2.1
• >=3.0.0-beta.9

Description

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.

Advisory available under CC0-1.0 license.