4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-51502

GHSA ID

GHSA-7vm6-qwh5-9x44

EPSS Score

0.34264%

CWE

CWE-754

Published

11/4/2024

Updated

11/5/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-51502

CVE-2024-51502: loona-hpack Panic Vulnerability

Summary

loona-hpack suffers from the same vulnerability as the original hpack as documented in https://github.com/mlalic/hpack-rs/issues/11

Details

The original includes a very nice description of the problem, as well as an easy-enough fix for it.

PoC

The original example pretty much still applies:

use loona_hpack::Decoder;

pub fn main() {
    let input = &[0x3f];
    let mut decoder = Decoder::new();
    let _ = decoder.decode(input);
}

Impact

From the original: All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-51502

CVE-2024-51502:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-51502

GHSA ID

GHSA-7vm6-qwh5-9x44

EPSS Score

0.34264%

CWE

CWE-754

Published

11/4/2024

Updated

11/5/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
loona-hpack	rust	<= 0.4.2	0.4.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the update_max_dynamic_size function in decoder.rs. The commit diff shows the vulnerable code used 'decode_integer(buf, 5).ok().unwrap()' which panics when decoding fails. The CWE-754/755 classifications confirm improper error handling. The original hpack-rs issue #11 describes the same pattern of unsafe unwrapping in size update handling. The PoC triggers this code path through Decoder::decode, making this the definitive vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-51502: loona-hpack Panic Vulnerability

Summary

Details

PoC

Impact

CVE-2024-51502:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-51502: loona-hpack Panic Vulnerability

Summary

Details

PoC

Impact

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI