Skip to content

HPACK decoder panics on invalid input

High severity GitHub Reviewed Published Apr 5, 2024 to the GitHub Advisory Database • Updated Apr 5, 2024

Package

cargo hpack (Rust)

Affected versions

<= 0.3.0

Patched versions

None

Description

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

References

Published to the GitHub Advisory Database Apr 5, 2024
Reviewed Apr 5, 2024
Last updated Apr 5, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-w7hm-hmxv-pvhf

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.