VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 31, 2020· Updated Aug 4, 2024

CVE-2020-35863

CVE-2020-35863

Description

An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An HTTP request smuggling vulnerability in the hyper crate before 0.12.34 can lead to remote code execution in certain loopback server setups.

Vulnerability

The hyper crate for Rust, prior to version 0.12.34, contains a flaw in how it handles HTTP GET requests that include a Transfer-Encoding header. The library incorrectly strips this header from GET requests, assuming they should not have a body. However, this behavior violates HTTP specifications and can lead to request smuggling [1][2].

Exploitation

This vulnerability can be exploited by an attacker sending a crafted HTTP request with a Transfer-Encoding: chunked header and a payload body to a vulnerable hyper-based server. If the server is bound to the loopback interface, the smuggling can result in an attacker gaining the ability to inject malicious payloads or trigger remote code execution [1][2]. The CVSS score of 9.8 underscores the ease of exploitation with no authentication required and network-based attack vector [2].

Impact

Successful exploitation allows an attacker to perform HTTP request smuggling, potentially leading to remote code execution when the server is on the loopback interface [1][2]. This can result in full compromise of the affected service's confidentiality, integrity, and availability [2].

Mitigation

The vulnerability is fixed in hyper version 0.12.34 and later [2]. Users should upgrade to the patched version immediately. There is no workaround mentioned in the advisory, and the vulnerability has been widely publicized in the RustSec advisory database [2][4].

References
  1. NVD - CVE-2020-35863
  2. Flaw in hyper allows request smuggling by sending a body in GET requests › RustSec Advisory Database
  3. Client GET requests with transfer-encoding are wrongly stripped

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
hypercrates.io
>= 0.11.0, < 0.12.340.12.34

Affected products

2

Patches

1
c83b54dc8877

v0.12.34

https://github.com/hyperium/hyperSean McArthurSep 4, 2019via osv
commit
3 files changed · +13 2
  • Cargo.toml+1 1 modified
    @@ -1,6 +1,6 @@
 [package]
 name = "hyper"
-version = "0.12.33" # don't forget to update html_root_url
+version = "0.12.34" # don't forget to update html_root_url
 description = "A fast and correct HTTP library."
 readme = "README.md"
 homepage = "https://hyper.rs"
  • CHANGELOG.md+11 0 modified
    @@ -1,3 +1,14 @@
+### v0.12.34 (2019-09-04)
+
+
+#### Bug Fixes
+
+* **client:** allow client GET requests with explicit body headers ([23fc8b08](https://github.com/hyperium/hyper/commit/23fc8b0806e7fde435ca00479cd5e3c8c5bdeee7), closes [#1925](https://github.com/hyperium/hyper/issues/1925))
+
+
+### v0.12.33 (2019-07-15)
+
+
 ### v0.12.32 (2019-07-08)
  • src/lib.rs+1 1 modified
    @@ -1,4 +1,4 @@
-#![doc(html_root_url = "https://docs.rs/hyper/0.12.33")]
+#![doc(html_root_url = "https://docs.rs/hyper/0.12.34")]
 #![deny(missing_docs)]
 #![deny(missing_debug_implementations)]
 #![cfg_attr(test, deny(warnings))]

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.