mellowagain
commented
2 years ago Dependency chain for hyper 0.13.10:
reqwest 0.10.10hyper 0.13.10(affected crate)
Closed github-actions[bot] closed 2 years ago
mellowagain
commented
2 years ago Dependency chain for hyper 0.13.10:
reqwest 0.10.10
hyper 0.13.10 (affected crate)mellowagain
commented
2 years ago There are currently plans to replace reqwest with awc. This will result in this issue being automatically fixed. Marking as on hold until awc is implemented.
There are currently no plans to upgrade to a higher hyper version (with reqwest).
mellowagain
commented
2 years ago Affected crate has been removed in c397c6d.
hyper0.13.10>=0.14.10When decoding chunk sizes that are too large,
hyper's code would encounter an integer overflow. Depending on the situation, this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.To be vulnerable, you must be using
hyperfor any HTTP/1 purpose, including as a client or server, and consumers must send requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible, any upstream proxies must accept a chunk size greater than 64 bits.See advisory page for additional details.