CVE-2020-35863

CRITICAL9.8EPSS 2.0%

Flaw in hyper allows request smuggling by sending a body in GET requests

Published: 8/25/2021Modified: 4/28/2026

Description

An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface.

Affected packages (3)

crates.io/hyper>= 0.11.0, < 0.12.34
crates.io/hyper>= 0.11.0, < 0.12.34
Debian/rust-hyperfrom 0, < 0.12.35-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35863
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-35863
PATCHhttps://crates.io/crates/hyper
PATCHhttps://github.com/hyperium/hyper
WEBhttps://github.com/hyperium/hyper/issues/1925
WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0008.html