CVE-2021-32715

LOW

hyper < 0.14.10 - HTTP Request Smuggling via Malformed Content-Length Header

Title source: llm

Description

hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c

Patch, Third Party Advisory x_refsource_misc

https://github.com/rust-lang/rust/pull/28826/commits/123a83326fb95366e94a3be1a74775df4db97739

Scores

CVSS v3 3.1

EPSS 0.0088

EPSS Percentile 54.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Details

CWE

CWE-444

Status published

Products (2)

crates.io/hyper 0 - 0.14.10crates.io

hyper/hyper < 0.14.10

Published Jul 07, 2021

Tracked Since Feb 18, 2026