Reported

March 11, 2026

Issued

June 8, 2026

Package

http-types (crates.io)

Type

INFO Notice

Keywords

#header #ascii #invalid-utf-8

References

• https://github.com/http-rs/http-types/issues/534

Patched

no patched versions

Description

Authorization::value uses HeaderValue::value with the claim that the internal string is ASCII, but Authorization::new and Authorization::set_credentials accept arbitrary String credentials without validation. As a result, safe code can construct a header value containing non-ASCII UTF-8 while the implementation assumes ASCII.

WwwAuthenticate::new and WwwAuthenticate::set_realm similarly accepts arbitrary String input, so WwwAuthenticate::value can also produce a header value that violates the crate’s documented ASCII invariants.

This issue has not been confirmed as Undefined Behavior, but the unsafe justification in Authorization::value and WwwAuthenticate::value appears incorrect and can produce values outside the expected ASCII-only constraints.

The http-types crate is unmaintained and the issue is unlikely to be fixed.

Advisory available under CC0-1.0 license.