Reported

January 23, 2017

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

hyper (crates.io)

Type

Vulnerability

Aliases

• CVE-2017-18587
• GHSA-q89x-f52w-6hj2

References

• https://github.com/hyperium/hyper/wiki/Security-001

CVSS Score

5.3 MEDIUM

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Patched

• >=0.10.2
• <0.10.0, >=0.9.18

Description

Serializing of headers to the socket did not filter the values for newline bytes (\r or \n), which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input.

This issue was fixed by replacing all newline characters with a space during serialization of a header value.

Advisory available under CC0-1.0 license.