CVE-2020-35875: Excessive memory usage in tokio-rustls

August 25, 2021 (updated June 13, 2023)

tokio-rustls does not call process_new_packets immediately after read, so the expected termination condition wants_read always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered. This may cause DoS.

References

github.com/advisories/GHSA-2jfv-g3fh-xq3v
github.com/tokio-rs/tls
github.com/tokio-rs/tls/pull/14
nvd.nist.gov/vuln/detail/CVE-2020-35875
rustsec.org/advisories/RUSTSEC-2020-0019.html

Detect and mitigate CVE-2020-35875 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →