RUSTSEC-2021-0020: Multiple Transfer-Encoding headers misinterprets request payload


> Multiple Transfer-Encoding headers misinterprets request payload

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Package             | `hyper`                      |
| Version             | `0.12.35`                   |
| URL                 | [https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf](https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf) |
| Date                | 2021-02-05                         |
| Patched versions    | `>=0.14.3,>=0.13.10, <0.14.0`                  |
| Unaffected versions | `<0.12.0`               |

hyper&#39;s HTTP server code had a flaw that incorrectly understands some requests
with multiple transfer-encoding headers to have a chunked payload, when it
should have been rejected as illegal. This combined with an upstream HTTP proxy
that understands the request payload boundary differently can result in
&quot;request smuggling&quot; or &quot;desync attacks&quot;.

See [advisory page](https://rustsec.org/advisories/RUSTSEC-2021-0020.html) for additional details.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

RUSTSEC-2021-0020: Multiple Transfer-Encoding headers misinterprets request payload #63

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Details
Package	`hyper`
Version	`0.12.35`
URL	GHSA-6hfq-h8hq-87mf
Date	2021-02-05
Patched versions	`>=0.14.3,>=0.13.10, <0.14.0`
Unaffected versions	`<0.12.0`

Uh oh!

RUSTSEC-2021-0020: Multiple Transfer-Encoding headers misinterprets request payload #63

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions