CVE-2020-35884

Name of the Vulnerable Software and Affected Versions tiny http crate versions through 2020-06-16

Description An issue in the tiny http crate allows HTTP Request smuggling via a malformed Transfer-Encoding header. This can lead to HTTP pipelining issues and request smuggling attacks due to incorrect Transfer encoding header parsing. By sending invalid Transfer Encoding headers, an attacker can conduct HTTP request smuggling attacks, potentially poisoning a web-cache, performing an XSS attack, or obtaining sensitive information from requests other than their own.

Recommendations For tiny http crate versions through 2020-06-16, consider disabling HTTP pipelining or restricting the use of the Transfer-Encoding header until a patch is available. Avoid using the Transfer-Encoding header in HTTP requests until the issue is resolved. As a temporary workaround, restrict access to the vulnerable HTTP endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.