Multiple Transfer-Encoding headers misinterprets request payload
Description
hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a transfer-encoding header, 2) Ensure any upstream proxy handles transfer-encoding correctly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
hyper HTTP server (Rust) incorrectly parses multiple Transfer-Encoding headers, enabling request smuggling via a vulnerable upstream proxy.
Vulnerability
CVE-2021-21299 is a request smuggling vulnerability in the hyper HTTP server library for Rust. The flaw resides in how hyper parses requests containing multiple Transfer-Encoding headers. According to RFC 7230, such malformed requests should be rejected outright. However, due to a missing boolean assignment in the header parsing logic, hyper would incorrectly treat the payload as chunked when it encountered multiple Transfer-Encoding headers, as long as one of them contained the value chunked [2][4]. This behavior was introduced in version 0.12.0 and affects all versions prior to 0.13.10 and 0.14.3 [2].
Exploitation
Exploitation requires a specific setup. The attacker sends a crafted HTTP/1.1 request with multiple Transfer-Encoding headers to an upstream proxy that interprets the request's body boundary differently than hyper. The upstream proxy must be vulnerable (i.e., not properly reject the malformed headers) and must forward the ambiguous request to hyper. If either the proxy correctly rejects the request or there is no proxy, the attack cannot succeed [2][4]. The attack does not require authentication and can be performed remotely over the network [3].
Impact
If the conditions are met, an attacker can perform HTTP request smuggling (also known as desync attacks), potentially leading to cache poisoning, credential theft, or unauthorized access to internal APIs. The CVSS score of 8.1 (HIGH) reflects the potential for severe impacts on confidentiality, integrity, and availability [3]. The attack can effectively splice the attacker's malicious request into legitimate user requests, allowing the attacker to manipulate the HTTP conversation between the client, proxy, and hyper server [1][2].
Mitigation
The vulnerability is fixed in hyper versions 0.14.3 and 0.13.10 [4]. Users unable to upgrade can apply workarounds: reject any incoming requests that contain a Transfer-Encoding header at the server level, or ensure that any upstream proxy correctly handles and rejects malformed Transfer-Encoding headers according to the HTTP specification [2][4]. No known public exploit code has been widely reported as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hypercrates.io | >= 0.14.0, < 0.14.3 | 0.14.3 |
hypercrates.io | >= 0.13.0, < 0.13.10 | 0.13.10 |
hypercrates.io | >= 0.12.0, < 0.12.36 | 0.12.36 |
Affected products
2- hyperium/hyperv5Range: < 0.13.10
Patches
18f93123efef5fix(http1): fix server misinterpretting multiple Transfer-Encoding headers
1 file changed · +12 −0
src/proto/h1/role.rs+12 −0 modified@@ -213,6 +213,8 @@ impl Http1Transaction for Server { if headers::is_chunked_(&value) { is_te_chunked = true; decoder = DecodedLength::CHUNKED; + } else { + is_te_chunked = false; } } header::CONTENT_LENGTH => { @@ -1444,6 +1446,16 @@ mod tests { "transfer-encoding doesn't end in chunked", ); + parse_err( + "\ + POST / HTTP/1.1\r\n\ + transfer-encoding: chunked\r\n\ + transfer-encoding: afterlol\r\n\ + \r\n\ + ", + "transfer-encoding multiple lines doesn't end in chunked", + ); + // http/1.0 assert_eq!(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6hfq-h8hq-87mfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21299ghsaADVISORY
- crates.io/crates/hypermitrex_refsource_MISC
- github.com/hyperium/hyper/commit/8f93123efef5c1361086688fe4f34c83c89cec02ghsax_refsource_MISCWEB
- github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mfghsax_refsource_CONFIRMWEB
- portswigger.net/research/http-desync-attacks-request-smuggling-rebornghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.