HistoryEditJSON (OSV)

RUSTSEC-2023-0085

HPACK decoder panics on invalid input

Reported
Issued
Package
hpack (crates.io)
Type
Vulnerability
Categories
Aliases
References
Patched
no patched versions

Description

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

Advisory available under CC0-1.0 license.