CVE-2021-32715 — HTTP Request Smuggling in Hyper

CWE-444 — HTTP Request Smuggling8 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 47.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hyperium Hyper Hyper Debian Rust-hyper +5 more

Timeline

PublishedJul 7

Latest updateSep 23

Description

hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vuln…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages9 packages

▶debiandebian/rust-hyper< rust-hyper 0.14.19-1 (bookworm)

▶NVDhyper/hyper< 0.14.10

▶crates.iohyper/hyper0.0.0-0 — 0.14.10+1

▶CVEListV5hyperium/hyper< 0.14.10

▶msrcmsrc/azure_linux_3.0_arm

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign↗2021-07-12

▶

GHSA

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign↗2021-07-12

▶

OSV

Lenient `hyper` header parsing of `Content-Length` could allow request smuggling↗2021-07-07

▶

OSV

CVE-2021-32715: hyper is an HTTP library for rust↗2021-07-07

▶

📋Vendor Advisories

Microsoft

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign↗2021-07-13

▶

Debian

CVE-2021-32715: rust-hyper - hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that in...↗2021

▶

📄Research Papers

arXiv

Security Review of Ethereum Beacon Clients↗2021-09-23

▶