HPACK decoder panics on invalid input

Published: Apr 5, 2024
Updated: Apr 11, 2024
GHSA: <a href="https://github.com/advisories/GHSA-w7hm-hmxv-pvhf" target="_blank" rel="noopener"> GHSA-w7hm-hmxv-pvhf
Severity: High
Exploit:

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &amp;[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

CVSS v3:

CWEs:

Software	From	Fixed in
hpack	-	0.3.0.x