Hyper
CVE-2021-32715
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with rustc v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the Content-Length header or ensure any upstream proxy handles Content-Length headers with a plus sign prefix.
AnalysisAI
hyper is an HTTP library for rust. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with rustc v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the Content-Length header or ensure any upstream proxy handles Content-Length headers with a plus sign prefix. Affected products include: Hyper. Version information: prior to 0.14.10.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.
hyper is an HTTP library for Rust. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no au
An issue was discovered in hyper v0.13.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode
An issue was discovered in the hyper crate before 0.12.34 for Rust. Rated critical severity (CVSS 9.8), this vulnerabili
hyper is an open-source HTTP library for Rust (crates.io). Rated high severity (CVSS 8.1), this vulnerability is remotel
A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today