{"id":"RUSTSEC-2021-0079","summary":"Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss","details":"When decoding chunk sizes that are too large, `hyper`'s code would encounter an integer overflow. Depending on the situation,\nthis could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.\n\nTo be vulnerable, you must be using `hyper` for any HTTP/1 purpose, including as a client or server, and consumers must send\nrequests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,\nany upstream proxies must accept a chunk size greater than 64 bits.","aliases":["CVE-2021-32714","GHSA-5h46-h7hh-c6x9"],"modified":"2023-11-08T04:05:57.916759Z","published":"2021-07-07T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/hyper"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0079.html"},{"type":"ADVISORY","url":"https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9"}],"affected":[{"package":{"name":"hyper","ecosystem":"crates.io","purl":"pkg:cargo/hyper"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.14.10"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"categories":[],"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0079.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}