CVE Tools
Sign in

CVE-2021-32715

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign

Published: Jul 7, 2021Updated: Nov 21, 2024 Sources: CVE List NVD GHSA BDUCWE-444
NVD MITRE
3.1CVSSLOW
EPSS Score
0.9%
Top 45.7%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix.

CVSS Vector Breakdown

AV:NAC:HPR:NUI:RS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-444

Affected Products

hyperhyperium
Library
OSS Libraries / web-framework
hypercrates.ioOSS Libraries
hyperhyper
On-prem
Consumer Software
HyperHyperium
Library
OSS Libraries / web-framework
hyperiumoss-projectOSS Libraries
crates.iopackage-ecosystemOSS Libraries
hypeross-projectConsumer Software

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Collection
View detailed technique mapping

References

https://github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c
github.com
https://github.com/rust-lang/rust/pull/28826/commits/123a83326fb95366e94a3be1a74775df4db97739
github.com
https://nvd.nist.gov/vuln/detail/CVE-2021-32715
nvd.nist.gov
and 8 more references View all →

Timeline

Published
Jul 7, 2021
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2021-32715 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows