CVE-2020-35863

Name of the Vulnerable Software and Affected Versions hyper versions prior to 0.12.34

Description An issue in hyper allows HTTP request smuggling to occur, potentially leading to remote code execution in certain situations, such as when an HTTP server is running on the loopback interface. This is possible because vulnerable versions of hyper permit GET requests to have bodies even without a Transfer-Encoding or Content-Length header, contrary to the HTTP 1.1 specification. As a result, the body of such a request can be interpreted as a separate HTTP request, enabling an attacker to inject requests with otherwise disallowed headers. This can be used to bypass CORS restrictions, and in combination with other vulnerabilities, may allow remote code execution.

Recommendations For versions prior to 0.12.34, update to version 0.12.34 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTTP requests with bodies in GET requests until the update is applied.