Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RUSTSEC-2021-0079: Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss #78

Open
standardtech-bot opened this issue Oct 6, 2021 · 0 comments

Comments

@standardtech-bot
Copy link

Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss

Details
Package hyper
Version 0.12.36
URL GHSA-5h46-h7hh-c6x9
Date 2021-07-07
Patched versions >=0.14.10

When decoding chunk sizes that are too large, hyper's code would encounter an integer overflow. Depending on the situation,
this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.

To be vulnerable, you must be using hyper for any HTTP/1 purpose, including as a client or server, and consumers must send
requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,
any upstream proxies must accept a chunk size greater than 64 bits.

See advisory page for additional details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant