N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-f67m-9j94-qv9j

EPSS Score

CWE

Published

6/16/2022

Updated

1/12/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-f67m-9j94-qv9j

GHSA-f67m-9j94-qv9j: Parser creates invalid uninitialized value

Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null.

The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-f67m-9j94-qv9j

EPSS Score

CWE

Published

6/16/2022

Updated

1/12/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hyper	rust	< 0.14.12	0.14.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using mem::uninitialized() with httparse::Header in HTTP1 parsing logic. The pull request #2545 specifically shows changes in role.rs where Server::parse and Client::parse methods were modified to replace mem::uninitialized() with MaybeUninit. These functions handle header parsing and were directly mentioned in commit messages ('Server::parse - use MaybeUninit' and 'Client::parse - use MaybeUninit'). The HTTP1 parser is explicitly called out in the advisory as the affected component, and httparse::Header's reference-containing nature makes uninitialized memory particularly dangerous here.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t*is *r*t* **ll** `m*m::uniniti*liz**()` in t** *TTP* p*rs*r to *r**t* v*lu*s o* typ* `*ttp*rs*::*****r` (*rom t** `*ttp*rs*` *r*t*). T*is is unsoun*, sin** `*****r` *ont*ins r***r*n**s *n* t*us must ** non-null. T** *l*w w*s *

Reasoning

T** vuln*r**ility st*ms *rom usin* m*m::uniniti*liz**() wit* *ttp*rs*::*****r in *TTP* p*rsin* lo*i*. T** pull r*qu*st #**** sp**i*i**lly s*ows ***n**s in rol*.rs w**r* S*rv*r::p*rs* *n* *li*nt::p*rs* m*t*o*s w*r* mo*i*i** to r*pl*** m*m::uniniti*liz

N/A

Basic Information

Concerned about an active attack path?

GHSA-f67m-9j94-qv9j: Parser creates invalid uninitialized value

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI