Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-38512
• actix/actix-web#2363
• actix/actix-web@e965d82
• https://rustsec.org/advisories/RUSTSEC-2021-0081.html
• https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/actix-http/RUSTSEC-2021-0081.md
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/67URRW4K47SR6LNQB4YALPLGGQMQK7HO/