CVE-2019-16140: Use-after-free in chttp

August 25, 2021 (updated June 13, 2023)

The From implementation for Vec was not properly implemented, returning a vector backed by freed memory. This could lead to memory corruption or be exploited to cause undefined behavior.

A fix was published in version 0.1.3.

References

github.com/advisories/GHSA-5rrv-m36h-qwf8
github.com/sagebind/chttp
github.com/sagebind/isahc/commit/9e9f1fb44114078c000c78c72e691eeb9e7ac260
github.com/sagebind/isahc/issues/2
nvd.nist.gov/vuln/detail/CVE-2019-16140
rustsec.org/advisories/RUSTSEC-2019-0016.html

Detect and mitigate CVE-2019-16140 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →