RUSTSEC-2021-0079

Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss

Reported

July 7, 2021

Issued

August 8, 2021 (last modified: October 19, 2021)

Package

hyper (crates.io)

Type

Vulnerability

Keywords

#http #parsing #data-loss

Aliases

References

https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9

CVSS Score

9.1 CRITICAL

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Patched

>=0.14.10

Description

When decoding chunk sizes that are too large, hyper's code would encounter an integer overflow. Depending on the situation, this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.

To be vulnerable, you must be using hyper for any HTTP/1 purpose, including as a client or server, and consumers must send requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible, any upstream proxies must accept a chunk size greater than 64 bits.

Advisory available under CC0-1.0 license.