CVE-2020-35901

Vulnerability

Overview CVE-2020-35901 is a use-after-free vulnerability in the BodyStream type of the actix-http crate for Rust, affecting versions prior to 2.0.0-alpha.1. The root cause is that the crate did not require the buffer wrapped in BodyStream to be pinned, leading to undefined behavior when the stream is polled after the underlying data has been moved or replaced [1][3]. This violates Rust's memory safety guarantees, as the MessageBody trait used &mut self instead of Pin<&mut self>, allowing safe code to trigger unsound operations [4].

Exploitation

An attacker can exploit this vulnerability by crafting a request that causes the BodyStream to be polled after its internal buffer has been freed or relocated. The attack requires no authentication or special privileges, and can be performed over the network with low complexity [3]. The issue is triggered through normal HTTP request handling when the body stream is processed in a way that violates pinning invariants, as demonstrated in the proof-of-concept code provided in the GitHub issue [4].

Impact

Successful exploitation leads to memory corruption, which can result in a denial of service (availability impact) due to crashes or undefined behavior. The CVSS v3.1 score is 7.5 (HIGH) with an attack vector of network and no user interaction required [3]. Confidentiality and integrity are not directly affected, but the memory corruption could potentially be leveraged for further attacks in specific contexts.

Mitigation

The vulnerability is fixed in actix-http version 2.0.0-alpha.1 and later [1][3]. Users should update to the patched version or apply the recommended change to the MessageBody trait to use Pin<&mut self>. No workarounds are documented, and the advisory notes that the affected versions are no longer supported [3].