CVE-2019-25008

HIGH7.5

Integer Overflow/Infinite Loop in the http crate

Published: 8/25/2021Modified: 2/4/2026

Description

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode. If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS). The flaw was corrected in 0.1.20 release of http crate.

Affected packages (3)

crates.io/httpfrom 0, < 0.1.20
crates.io/httpfrom 0, < 0.1.20
crates.io/http>= 0.0.0-0, < 0.1.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-25008
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-25574
PATCHhttps://crates.io/crates/http
PATCHhttps://github.com/hyperium/http
WEBhttps://github.com/hyperium/http/issues/352
WEBhttps://rustsec.org/advisories/RUSTSEC-2019-0033.html