GHSA-w7hm-hmxv-pvhf: HPACK decoder panics on invalid input

April 5, 2024

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
let input = &[0x3f];
let mut decoder = Decoder::new();
let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

References

github.com/advisories/GHSA-w7hm-hmxv-pvhf
github.com/mlalic/hpack-rs
github.com/mlalic/hpack-rs/issues/11
github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5
rustsec.org/advisories/RUSTSEC-2023-0085.html

Detect and mitigate GHSA-w7hm-hmxv-pvhf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →