Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-w7hm-hmxv-pvhf: HPACK decoder panics on invalid input

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

ghsa
Open in Source
#vulnerability#git

Package

cargo hpack (Rust)

Affected versions

<= 0.3.0

Patched versions

None

Description

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() { let input = &[0x3f]; let mut decoder = Decoder::new(); let _ = decoder.decode(input); }

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

References

  • mlalic/hpack-rs#11
  • sno2/hpack-rs-patched@d669282
  • https://rustsec.org/advisories/RUSTSEC-2023-0085.html

Published to the GitHub Advisory Database

Apr 5, 2024

Reviewed

Apr 5, 2024

Last updated

Apr 5, 2024

ghsa: Latest News

GHSA-mqf3-qpc3-g26q: Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message
ghsa