HPACK decoder panics on invalid input
Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error. Example code that triggers this vulnerability looks like this: use hpack::Decoder; pub fn main() { let input = &[0x3f]; let mut decoder = Decoder::new(); let _ = decoder.decode(input); } hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched. Also consider using fluke-hpack or httlib-huffman …