CVE-2020-25574: Integer Overflow/Infinite Loop in the http crate

August 25, 2021 (updated June 13, 2023)

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.

References

github.com/advisories/GHSA-x7vr-c387-8w57
github.com/hyperium/http
github.com/hyperium/http/issues/352
nvd.nist.gov/vuln/detail/CVE-2020-25574
rustsec.org/advisories/RUSTSEC-2019-0033.html

Detect and mitigate CVE-2020-25574 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →