RUSTSEC-2020-0031: tiny_http: HTTP Request smuggling through malformed Transfer Encoding headers

Description

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing.

It is possible conduct HTTP request smuggling attacks (CL:TE/TE:TE) by sending invalid Transfer Encoding headers.

By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

More Info

https://github.com/tiny-http/tiny-http/issues/173

Patched Versions