RUSTSEC-2026-0181

DoS vulnerability in HTTP/1.x chunked encoding parser triggered by maliciously crafted chunk lengths

Reported

June 6, 2026

Issued

June 13, 2026

Package

vibeio-http (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#http #DoS

References

https://github.com/ferronweb/vibeio-http/blob/main/CHANGELOG.md#vibeio-http-032

Patched

>=0.3.2

Description

When using the affected versions of the vibeio-http crate, an attacker could craft a malicious HTTP/1.x request with a large chunk length (between usize::MAX - 1 and usize::MAX inclusive) and send it, causing the server to crash (integer overflow panic in debug builds, split_to out of bounds panic in release builds).

This was fixed in vibeio-http 0.3.2 by erroring on the chunk length if it exceeds usize::MAX - 2 (using checked_add() instead of + operator), preventing integer overflow.

Advisory available under CC0-1.0 license.