HistoryEdit

RUSTSEC-2022-0022

Parser creates invalid uninitialized value

Reported
Issued
Package
hyper (crates.io)
Type
INFO Unsound
Details
https://github.com/hyperium/hyper/pull/2545
Patched
  • >=0.14.12

Description

Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null.

The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.