CVE-2021-26959 in Hyper Crate
Summary
by MITRE • 02/10/2021
An issue was discovered in the hyper crate before 0.13.10 and 0.14.x before 0.14.3 for Rust. Request smuggling can occur when more than one Transfer-Encoding header is sent.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/27/2021
The vulnerability in the hyper crate affects versions prior to 0.13.10 and 0.14.x before 0.14.3, presenting a significant security risk through request smuggling attacks. This issue arises from improper handling of multiple Transfer-Encoding headers within HTTP requests processed by the hyper library, which is a widely used HTTP client and server implementation in Rust applications. The flaw allows malicious actors to manipulate HTTP request parsing behavior through crafted header sequences that exploit ambiguities in how duplicate Transfer-Encoding headers are interpreted.
Transfer-Encoding headers control how message bodies are encoded for transmission across HTTP connections, with the most common values being chunked, gzip, deflate, and base64. When multiple Transfer-Encoding headers are present in a single request, the hyper crate fails to properly validate or normalize these headers according to HTTP specifications. This creates a parsing inconsistency that can be exploited by attackers to inject malformed requests or manipulate how subsequent parts of the request are processed. The vulnerability specifically relates to how the library interprets duplicate header values and does not follow proper RFC 7230 compliance for header field handling.
The operational impact of this vulnerability extends across numerous Rust applications that rely on hyper for HTTP communication, particularly those serving as intermediaries or reverse proxies where request smuggling could enable bypassing security controls. An attacker could leverage this weakness to perform various malicious activities including cache poisoning, cross-site scripting attacks, or gaining unauthorized access to backend services by manipulating how requests are interpreted and forwarded through the affected system. The vulnerability also potentially enables protocol confusion attacks where different components of the HTTP stack interpret header values inconsistently.
This issue maps directly to CWE-1037, which covers insufficient control of generation of code or system calls, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation. The vulnerability demonstrates poor input validation and header parsing logic that creates opportunities for attackers to subvert expected HTTP processing behavior through carefully constructed request headers. Organizations using hyper in their Rust applications should immediately upgrade to versions 0.13.10 or 0.14.3 and later, as these releases contain proper handling of multiple Transfer-Encoding headers that prevents the exploitation path. Additionally, implementing proper header validation at application level and monitoring for unusual header patterns can serve as defensive measures while waiting for patch deployment.
The root cause stems from inadequate header field normalization within the hyper crate's HTTP parsing implementation, where duplicate headers are not consistently processed according to HTTP specification requirements. This failure to maintain proper RFC 7230 compliance creates ambiguity in request interpretation that attackers can exploit to inject unexpected behaviors into HTTP request handling code. The vulnerability affects both client and server implementations within hyper, meaning applications using the library for either role could be compromised through different attack vectors depending on their specific usage patterns and deployment configurations.