4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.8%
hyper’s HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length
header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn’t parse such Content-Length
headers, but forwards them, can result in “request smuggling” or “desync attacks”.
The flaw exists in all prior versions of hyper, if built with rustc
v1.5.0 or newer.
Example:
GET / HTTP/1.1
Host: example.com
Content-Length: +3
abc
This request gets accepted and hyper reads the body as abc. The request should be rejected, according to RFC 7230, since the ABNF for Content-Length
only allows for DIGIT
s. This is due to using the FromStr
implementation for u64
in the standard library. By differing from the spec, it is possible to send requests like these to endpoints that have different HTTP implementations, with different interpretations of the payload semantics, and cause “desync attacks”.
In this particular case, an upstream proxy would need to error when parsing the Content-Length
, but not reject the request (swallowing its own error), and forwarding the request as-is with the Content-Length
still included. Then the upstream proxy and hyper would disagree on the length of the request body. The combination of these factors would be extremely rare.
Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
To determine if vulnerable, all these things must be true:
Content-Length
header, OR can parse the length with the plus sign, the desync attack cannot succeed.We have released the following patch versions:
Besides upgrading hyper, you can take the following options:
Content-Length
header.Content-Length
headers with a plus sign prefix.This issue was initially reported by Mattias Grenfeldt and Asta Olofsson.
github.com/advisories/GHSA-f3pg-qwvg-p99c
github.com/hyperium/hyper/commit/1fb719e0b61a4f3d911562a436a2ff05fd7cb759
github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c
github.com/rust-lang/rust/pull/28826/commits/123a83326fb95366e94a3be1a74775df4db97739
nvd.nist.gov/vuln/detail/CVE-2021-32715
rustsec.org/advisories/RUSTSEC-2021-0078.html
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.8%