CVE-2020-25574 – http

Package

Manager: cargo
Name: http
Vulnerable Version: >=0 <0.1.20

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00662 pctl0.70271

Details

Integer Overflow/Infinite Loop in the http crate HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode. If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS). The flaw was corrected in 0.1.20 release of http crate.

Metadata

Created: 2021-08-25T21:01:31Z
Modified: 2023-06-13T18:21:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-x7vr-c387-8w57/GHSA-x7vr-c387-8w57.json
CWE IDs: ["CWE-190", "CWE-835"]
Alternative ID: GHSA-x7vr-c387-8w57
Finding: F111
Auto approve: 1