CVE-2019-25009
Description
An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unsafe raw pointer in HeaderMap::Drain API of Rust http crate before 0.1.20 allows memory corruption; patched in 0.1.20.
Vulnerability
The HeaderMap::Drain API in the Rust http crate (versions prior to 0.1.20) uses a raw pointer in a way that defeats Rust's memory safety guarantees, leading to unsoundness [1]. This flaw can cause memory corruption, including double-free conditions, as detailed in the RustSec advisory [2].
Exploitation
The vulnerability is reachable over the network without authentication or user interaction [2]. An attacker can exploit the unsound API by providing crafted input that triggers the flawed drain operation, potentially leading to arbitrary memory access.
Impact
Successful exploitation could result in high-impact consequences, including arbitrary code execution, information disclosure, or denial of service. The CVSS score is 9.8 (Critical) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [2].
Mitigation
The issue is fixed in version 0.1.20 of the http crate [2]. Users should update to this version or later. No known workarounds exist.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
httpcrates.io | < 0.1.20 | 0.1.20 |
Affected products
4- rust/httpdescription
- osv-coords3 versions
< 0.146.3-r0+ 2 more
- (no CPE)range: < 0.146.3-r0
- (no CPE)range: < 0.146.3-r0
- (no CPE)range: < 0.1.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6rhx-hqxm-8p36ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-25009ghsaADVISORY
- rustsec.org/advisories/RUSTSEC-2019-0034.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.