CVE-2020-36202
Description
An issue was discovered in the async-h1 crate before 2.3.0 for Rust. Request smuggling can occur when used behind a reverse proxy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Async-h1 crate before 2.3.0 vulnerable to request smuggling when behind a reverse proxy, allowing header forgery or request capture.
The async-h1 crate for Rust contains a request smuggling vulnerability (CVE-2020-36202) that affects versions prior to 2.3.0. The root cause lies in how the server handles HTTP request bodies: if the server does not read the body of a request longer than a specific buffer length, async-h1 will interpret the subsequent bytes as a new request, leading to smuggling [1][3].
Exploitation occurs when async-h1 is deployed behind a reverse proxy. An attacker can craft a request whose body contains a second, malicious request. The reverse proxy may not detect the smuggled request, allowing the attacker to forge headers like X-Forwarded-For. In keep-alive connections, the smuggled request can specify a long Content-Length to capture another user's request in its body [3].
The impact is significant: an attacker can inject arbitrary headers, potentially bypassing security controls or impersonating users. They may also steal sensitive data from other requests, as the smuggled request can capture and expose their content [1][3].
Mitigation is straightforward: upgrade to async-h1 version 2.3.0 or later, which fixes the issue. All prior versions have been yanked from crates.io to prevent further use. Users of Tide web framework (which depends on async-h1) should also update their dependencies [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
async-h1crates.io | < 2.3.0 | 2.3.0 |
Affected products
2- Rust/async-h1 cratedescription
Patches
1b1651f3f786a(cargo-release) version 2.3.0
1 file changed · +1 −1
Cargo.toml+1 −1 modified@@ -1,6 +1,6 @@ [package] name = "async-h1" -version = "2.2.1" +version = "2.3.0" license = "MIT OR Apache-2.0" repository = "https://github.com/http-rs/async-h1" documentation = "https://docs.rs/async-h1"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c8rq-crxj-mj9mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36202ghsaADVISORY
- github.com/http-rs/async-h1/releases/tag/v2.3.0ghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0093.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.