Headline
GHSA-f8vr-r385-rh5r: hyper and h2 vulnerable to denial of service
Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in hyper v0.13.7 and h2 v0.2.4 when proessing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
As of time of publication of this advisory, there is no evidence of a fix having been incorporated into hyper or h2.
Package
Affected versions
<= 0.3.16
Description
Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in hyper v0.13.7 and h2 v0.2.4 when proessing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
As of time of publication of this advisory, there is no evidence of a fix having been incorporated into hyper or h2.
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-26964
- hyperium/hyper#2877
- hyperium/h2#621
Published to the GitHub Advisory Database
Apr 11, 2023
Last updated
Apr 11, 2023
Related news
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).