CVE-2020-36202: Async-h1 request smuggling possible with long unread bodies

May 24, 2022 (updated June 16, 2022)

An issue was discovered in the async-h1 crate before 2.3.0 for Rust. Request smuggling can occur when used behind a reverse proxy.

References

github.com/advisories/GHSA-c8rq-crxj-mj9m
github.com/http-rs/async-h1
github.com/http-rs/async-h1/releases/tag/v2.3.0
nvd.nist.gov/vuln/detail/CVE-2020-36202
rustsec.org/advisories/RUSTSEC-2020-0093.html

Code Behaviors & Features

Detect and mitigate CVE-2020-36202 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →