CVE-2021-32714

Name of the Vulnerable Software and Affected Versions hyper versions prior to 0.14.10

Description The issue is related to an integer overflow when decoding chunk sizes that are too big, which can trigger data loss or, in certain cases, "request smuggling" or "desync attacks" if combined with an upstream HTTP proxy that allows larger chunk sizes. This can occur when using hyper for any HTTP/1 purpose, including as a client or server, and consumers send requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible, any upstream proxies must accept a chunk size greater than 64 bits.

Recommendations To resolve the issue, upgrade to version 0.14.10 or later. As a temporary workaround, consider rejecting requests manually that contain a Transfer-Encoding header. Alternatively, ensure any upstream proxy rejects Transfer-Encoding chunk sizes greater than what fits in 64-bit unsigned integers.