Skip to content

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign

Low severity GitHub Reviewed Published Jul 7, 2021 in hyperium/hyper • Updated Apr 3, 2023

Package

cargo hyper (Rust)

Affected versions

< 0.14.10

Patched versions

0.14.10

Description

Summary

hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks".

Vulnerability

The flaw exists in all prior versions of hyper, if built with rustc v1.5.0 or newer.

Example:

GET / HTTP/1.1
Host: example.com
Content-Length: +3

abc

This request gets accepted and hyper reads the body as abc. The request should be rejected, according to RFC 7230, since the ABNF for Content-Length only allows for DIGITs. This is due to using the FromStr implementation for u64 in the standard library. By differing from the spec, it is possible to send requests like these to endpoints that have different HTTP implementations, with different interpretations of the payload semantics, and cause "desync attacks".

In this particular case, an upstream proxy would need to error when parsing the Content-Length, but not reject the request (swallowing its own error), and forwarding the request as-is with the Content-Length still included. Then the upstream proxy and hyper would disagree on the length of the request body. The combination of these factors would be extremely rare.

Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Impact

To determine if vulnerable, all these things must be true:

  • Using hyper as an HTTP server. While the lenient decoder also exists in the client, a vulnerability does not exist around responses.
  • Using HTTP/1. The HTTP/2 code uses a stricter parser.
  • Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal Content-Length header, OR can parse the length with the plus sign, the desync attack cannot succeed.

Patches

We have released the following patch versions:

  • v0.14.10 (to be released when this advisor is published)

Workarounds

Besides upgrading hyper, you can take the following options:

  • Reject requests manually that contain a plus sign prefix in the Content-Length header.
  • Ensure any upstream proxy handles Content-Length headers with a plus sign prefix.

Credits

This issue was initially reported by Mattias Grenfeldt and Asta Olofsson.

References

@seanmonstar seanmonstar published to hyperium/hyper Jul 7, 2021
Reviewed Jul 7, 2021
Published by the National Vulnerability Database Jul 7, 2021
Published to the GitHub Advisory Database Jul 12, 2021
Last updated Apr 3, 2023

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(52nd percentile)

Weaknesses

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. Learn more on MITRE.

CVE ID

CVE-2021-32715

GHSA ID

GHSA-f3pg-qwvg-p99c

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.