7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-w7hm-hmxv-pvhf

EPSS Score

CWE

CWE-754

Published

4/5/2024

Updated

4/5/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-w7hm-hmxv-pvhf

GHSA-w7hm-hmxv-pvhf: HPACK decoder panics on invalid input

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-w7hm-hmxv-pvhf

EPSS Score

CWE

CWE-754

Published

4/5/2024

Updated

4/5/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hpack	rust	<= 0.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the update_max_dynamic_size function's unsafe error handling. The original implementation used decode_integer().ok().unwrap() which would panic on invalid input. This function was called during SizeUpdate field processing in decode(). The commit diff shows the fix changed this to proper error propagation using the ? operator. The test case with input 0x3f specifically triggers this code path by providing an incomplete size update value, demonstrating the panic scenario. The combination of direct unwrap usage and its critical role in header decoding makes this the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to insu**i*i*nt ****kin* o* input **t*, ***o*in* **rt*in **t* s*qu*n**s **n l*** to _***o**r::***o**_ p*ni*kin* r*t**r t**n r*turnin* *n *rror. *x*mpl* *o** t**t tri***rs t*is vuln*r**ility looks lik* t*is: ```rust us* *p**k::***o**r; pu* *n m

Reasoning

T** vuln*r**ility st*ms *rom t** up**t*_m*x_*yn*mi*_siz* *un*tion's uns*** *rror **n*lin*. T** ori*in*l impl*m*nt*tion us** ***o**_int***r().ok().unwr*p() w*i** woul* p*ni* on inv*li* input. T*is *un*tion w*s **ll** *urin* Siz*Up**t* *i*l* pro**ssin*

7.5

Basic Information

Concerned about an active attack path?

GHSA-w7hm-hmxv-pvhf: HPACK decoder panics on invalid input

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI