RUSTSEC-2021-0081: Potential request smuggling capabilities due to lack of input validation
github-actions opened this issue · 1 comments
Potential request smuggling capabilities due to lack of input validation
| Details | |
|---|---|
| Package | actix-http |
| Version | 1.0.1 |
| Date | 2021-06-16 |
| Patched versions | >=2.2.1, <3.0.0,>=3.0.0-beta.9 |
Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.
Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.
See advisory page for additional details.
Roa removes actix from dependencies now.