The JFrog Security Research team has discovered and disclosed multiple DoS (Denial of Service) vulnerabilities in popular Rust projects such as Axum, Salvo and conduit-hyper.
In a recent blog post, JFrog says that all vulnerabilities stem from the same root cause, namely developers failing to set proper limits on HTTP requests when using the Hyper library.
JFrog disclosed that the vulnerability in Hyper lies in the function
to_bytes. The function is used to copy requests and response bodies to single byte buffers. Apparently, the function can be invoked in a dangerous and “inadvisable” manner by failing to set header size limits.
“Without any length checks it is actually possible to abuse this issue for causing DoS even with a very small packet”, JFrog warns. The lack of size limitations while using Hyper is a very serious issue that can be easily exploited by attackers in order to crash both HTTP clients and servers.
Thus JFrog “highly recommends” that all Rust projects using Hyper implement a size limit on requests and responses. The three Rust projects mentioned above (Axum, Salvo and conduit-hyper) have fixed their code accordingly, but a large number of other vulnerable projects have not yet responded, according to JFrog.
Hyper is an extremely popular, low-level HTTP library written in Rust, JFrog says. Instead of a full-featured HTTP server or client, the Hyper library can be used as a ‘building block’ for implementing HTTP servers and clients, as it contains methods for responding to requests, parsing request bodies and generating proper HTTP responses. “Currently, this is Rust’s most popular HTTP library”, JFrog says.
Hyper has been downloaded more than 67 million times from crates.io. The popularity is due to its usefulness for building more feature-rich HTTP clients and servers. In fact, two of the most popular Rust-based HTTP clients and servers (reqwest and warp) are built on top of Hyper. According to JFrog, there are currently 2579 projects in crates.io that depend on the library