Reported

November 16, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

http (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#http #integer-overflow #DoS

Aliases

• CVE-2019-25008
• CVE-2020-25574
• GHSA-x7vr-c387-8w57
• GHSA-xvc9-xwgj-4cq9

References

• https://github.com/hyperium/http/issues/352

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.1.20

Affected Functions

Version

http::header::HeaderMap::reserve

• <0.1.20

Description

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.

Advisory available under CC0-1.0 license.