Moderate severityNVD Advisory· Published Aug 26, 2019· Updated Aug 5, 2024

CVE-2017-18587

Description

An issue was discovered in the hyper crate before 0.9.18 for Rust. It mishandles newlines in headers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In hyper before 0.9.18, newline characters in HTTP headers are not sanitized, allowing header injection and request/response splitting.

Vulnerability

Overview The hyper HTTP library for Rust mishandles newline characters (*\r* and *\n*) during header serialization. This flaw allows an attacker to inject additional headers or split the HTTP message into multiple messages, a classic HTTP header injection and request/response splitting vulnerability [2].

Exploitation

An unauthenticated attacker can exploit this by simply including CRLF sequences in a header value sent to a vulnerable hyper client or server. No user interaction or network position beyond being able to send HTTP requests is required, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N) [2].

Impact

Successful exploitation can lead to HTTP request/response splitting, which may enable cache poisoning, session fixation, or cross-site scripting (XSS) attacks. The CVSS integrity impact is rated low because the attacker can modify message boundaries but not directly access sensitive data [2].

Mitigation

The vulnerability is fixed in hyper versions 0.9.18 and 0.10.2 and later. All users should upgrade to these patched versions to prevent exploitation.

References

headers containing newline characters can split messages › RustSec Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
hypercrates.io	>= 0.10.0, < 0.10.2	0.10.2
hypercrates.io	< 0.9.18	0.9.18

Affected products

Rust/hyper cratedescription
ghsa-coords
pkg:cargo/hyper
Range: >= 0.10.0, < 0.10.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q89x-f52w-6hj2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-18587ghsaADVISORY
rustsec.org/advisories/RUSTSEC-2017-0002.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000