Reported

September 15, 2023

Issued

March 15, 2024 (last modified: April 11, 2024)

Package

hpack (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• GHSA-w7hm-hmxv-pvhf

References

• https://github.com/mlalic/hpack-rs/issues/11
• https://github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5

Patched

no patched versions

Description

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

Advisory available under CC0-1.0 license.