RUSTSEC-2023-0085: Vulnerability in hpack

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2023-0085

HPACK decoder panics on invalid input


Reported
Issued

Package

hpack
(crates.io)

Type

Vulnerability

Categories
References
Patched

no patched versions

Description

Due to insufficient checking of input data, decoding certain data sequences can
lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;
pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as
hpack-patched.

Also consider using fluke-hpack or
httlib-huffman as an alternative.

Advisory available under CC0-1.0
license.

READ MORE