CVE-2024-28854

Name of the Vulnerable Software and Affected Versions tls-listener versions prior to 0.10.0

Description The default configuration of tls-listener makes any public service using TlsListener::new() vulnerable to a slow-loris DoS attack. A malicious user can open 6.4 TcpStreams a second, sending 0 bytes, and trigger a DoS. This is an instance of a slow-loris attack, which impacts any publicly accessible service using the default configuration of tls-listener.

Recommendations For versions prior to 0.10.0, users are advised to upgrade to version 0.10.0 or later. As a temporary workaround for users unable to upgrade, consider passing a large value, such as usize::MAX, as the parameter to Builder::max handshakes to mitigate this issue.