CVE-2020-25574

An integer overflow vulnerability exists in the HeaderMap::reserve() method of the http crate for Rust, versions prior to 0.1.20. The reserve() function uses usize::next_power_of_two(), which silently overflows to 0 when the requested capacity exceeds usize::MAX. This triggers an infinite probing loop in the hash map's internal grow() function, leading to a denial of service condition [2][3].

The attack surface is network-based: an attacker can send specially crafted HTTP headers that cause the server to call HeaderMap::reserve() with a sufficiently large argument to trigger the integer overflow. No authentication or user interaction is required, and the attack complexity is low, making it easily exploitable [2]. The vulnerability is classified as high severity with a CVSS v3.1 base score of 7.5, impacting availability [2].

Successful exploitation results in a denial of service via an infinite loop, consuming CPU resources and potentially rendering the service unresponsive. There is no impact on confidentiality or integrity [2].

The issue was reported on November 16, 2019, and patched in the http crate version 0.1.20 released on October 1, 2020. Users are advised to update to the latest version. The vulnerability is also tracked as CVE-2019-25008 and GHSA-x7vr-c387-8w57 [2].