4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21299

GHSA ID

GHSA-6hfq-h8hq-87mf

EPSS Score

0.67848%

CWE

CWE-444

Published

8/25/2021

Updated

1/11/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21299

CVE-2021-21299: HTTP Request Smuggling in hyper

Summary

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".

Vulnerability

The flaw was introduced in https://github.com/hyperium/hyper/commit/26417fc24a7d05df538e0f39239b373c5c3d61f6, released in v0.12.0.

Consider this example request:

POST /yolo HTTP/1.1
Transfer-Encoding: chunked
Transfer-Encoding: cow

This request should be rejected, according to RFC 7230, since it has a Transfer-Encoding header, but after folding, it does not end in chunked. hyper would notice the chunked in the first line, and then check the second line, and thanks to a missing boolean assignment, not set the error condition. hyper would treat the payload as being chunked. By differing from the spec, it is possible to send requests like these to endpoints that have different HTTP implementations, with different interpretations of the payload semantics, and cause "desync attacks".

There are several parts of the spec that must also be checked, and hyper correctly handles all of those. Additionally, hyper's client does not allow sending requests with improper headers, so the misunderstanding cannot be propagated further.

Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Impact

To determine if vulnerable, all these things must be true:

Using hyper as an HTTP server. The client is not affected.
Using HTTP/1.1. HTTP/2 does not use transfer-encoding.
Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding.

Patches

We have released and backported the following patch versions:

v0.14.3
v0.13.10

Workarounds

Besides upgrading hyper, you can take the following options:

Reject requests that contain a transfer-encoding header.
Ensure any upstream proxy handles transfer-encoding correctly.

Credits

This issue was initially reported by ZeddYu Lu From Qi An Xin Technology Research Institute.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21299

GHSA ID

GHSA-6hfq-h8hq-87mf

EPSS Score

0.67848%

CWE

CWE-444

Published

8/25/2021

Updated

1/11/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hyper	rust	>= 0.14.0, < 0.14.3	0.14.3
hyper	rust	>= 0.13.0, < 0.13.10	0.13.10
hyper	rust	>= 0.12.0, < 0.12.36	0.12.36

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from HTTP/1 request parsing logic in role.rs where Transfer-Encoding headers are processed. The commit diff shows an added 'else { is_te_chunked = false; }' clause that fixes improper handling of multiple headers. Before this fix, the code would retain 'is_te_chunked=true' if any Transfer-Encoding header contained 'chunked', rather than only considering the last header. This matches the vulnerability description of accepting invalid combinations of Transfer-Encoding headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *yp*r's *TTP s*rv*r *o** *** * *l*w t**t in*orr**tly un**rst*n*s som* r*qu*sts wit* multipl* tr*ns**r-*n*o*in* *****rs to **v* * **unk** p*ylo**, w**n it s*oul* **v* ***n r*j**t** *s ill***l. T*is *om*in** wit* *n upstr**m *TTP proxy t**

Reasoning

T** vuln*r**ility st*ms *rom *TTP/* r*qu*st p*rsin* lo*i* in rol*.rs w**r* Tr*ns**r-*n*o*in* *****rs *r* pro**ss**. T** *ommit *i** s*ows *n ***** '*ls* { is_t*_**unk** = **ls*; }' *l*us* t**t *ix*s improp*r **n*lin* o* multipl* *****rs. ***or* t*is

4.8

Basic Information

Concerned about an active attack path?

CVE-2021-21299: HTTP Request Smuggling in hyper

Summary

Vulnerability

Impact

Patches

Workarounds

Credits

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI