CVE-2021-32714: Integer Overflow in Chunked Transfer-Encoding

July 12, 2021 (updated September 7, 2021)

hyper’s HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in “request smuggling” or “desync attacks”.

References

github.com/advisories/GHSA-5h46-h7hh-c6x9
github.com/hyperium/hyper
github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9
nvd.nist.gov/vuln/detail/CVE-2021-32714
rustsec.org/advisories/RUSTSEC-2021-0079.html

Detect and mitigate CVE-2021-32714 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →