CVE-2020-35863

CRITICAL9.8EPSS 2.0%

Flaw in hyper allows request smuggling by sending a body in GET requests

發布日:2021/8/25修改日:2026/4/28

描述

An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface.

受影響套件(3)

crates.io/hyper>= 0.11.0, < 0.12.34
crates.io/hyper>= 0.11.0, < 0.12.34
Debian/rust-hyperfrom 0, < 0.12.35-1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35863
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-35863
PATCHhttps://crates.io/crates/hyper
PATCHhttps://github.com/hyperium/hyper
WEBhttps://github.com/hyperium/hyper/issues/1925
WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0008.html