9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-35863

GHSA ID

GHSA-h3qr-rq2j-74w4

EPSS Score

0.82879%

CWE

CWE-444

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-35863

CVE-2020-35863:
HTTP Request Smuggling in hyper

Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 specification, such requests do not have bodies, so the body will be interpreted as a separate HTTP request.

This allows an attacker who can control the body and method of an HTTP request made by hyper to inject a request with headers that would not otherwise be allowed, as demonstrated by sending a malformed HTTP request from a Substrate runtime. This allows bypassing CORS restrictions. In combination with other vulnerabilities, such as an exploitable web server listening on loopback, it may allow remote code execution.

The flaw was corrected in hyper version 0.12.34.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-35863

GHSA ID

GHSA-h3qr-rq2j-74w4

EPSS Score

0.82879%

CWE

CWE-444

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hyper	rust	>= 0.11.0, < 0.12.34	0.12.34

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of HTTP/1.1 request semantics in hyper's client implementation. Key functions involved in request serialization (send_request) and connection management (Conn::send_request) failed to enforce RFC 7230 Section 3.3 which prohibits bodies for GET requests without content-length/transfer-encoding headers. This allowed smuggling by treating the body as a new request. The high confidence for the first function comes from its direct role in request encoding, while the second gets medium confidence due to its position in the protocol handling stack, though exact implementation details without patch diffs require some inference.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Vuln*r**l* v*rsions o* *yp*r *llow **T r*qu*sts to **v* *o*i*s, *v*n i* t**r* is no Tr*ns**r-*n*o*in* or *ont*nt-L*n*t* *****r. *s p*r t** *TTP *.* sp**i*i**tion, su** r*qu*sts *o not **v* *o*i*s, so t** *o*y will ** int*rpr*t** *s * s*p*r*t* *TTP r*

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* *TTP/*.* r*qu*st s*m*nti*s in *yp*r's *li*nt impl*m*nt*tion. K*y *un*tions involv** in r*qu*st s*ri*liz*tion (s*n*_r*qu*st) *n* *onn**tion m*n***m*nt (*onn::s*n*_r*qu*st) **il** to *n*or** R** **** S*

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-35863: HTTP Request Smuggling in hyper

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-35863:
HTTP Request Smuggling in hyper

Vulnerability Intelligence
Miggo AI