VYPR
← All advisories
High severityNVD Advisory· Published Oct 31, 2022· Updated Apr 23, 2025

(DoS) Denial of Service from unchecked request length in conduit-hyper

CVE-2022-39294

Description

conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, conduit-hyper did not check any limit on a request's length before calling `hyper::body::to_bytes`. An attacker could send a malicious request with an abnormally large Content-Length, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, conduit-hyper sets an internal limit of 128 MiB per request, otherwise returning status 400 ("Bad Request"). This crate is part of the implementation of Rust's crates.io, but that service is not affected due to its existing cloud infrastructure, which already drops such malicious requests. Even with the new limit in place, conduit-hyper is not recommended for production use, nor to directly serve the public Internet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

conduit-hyper before 0.4.2 lacked request length limits, enabling remote attackers to cause denial of service via large Content-Length headers.

Vulnerability

Overview

CVE-2022-39294 is a denial-of-service vulnerability in conduit-hyper, a Rust crate that integrates a conduit application with the hyper HTTP server. Prior to version 0.4.2, the crate did not enforce any limit on the size of incoming request bodies before calling hyper::body::to_bytes. This allowed an attacker to send a request with an abnormally large Content-Length header, causing the server to attempt a memory allocation that could fail and trigger a panic, effectively crashing the server process [1][3].

Exploitation

The attack is trivially exploitable over the network without authentication or user interaction. An attacker simply sends an HTTP request with a Content-Length value large enough to exhaust available memory. The server then attempts to allocate a buffer of that size, leading to a panic if allocation fails. The fix introduced in commit 4d225a5 adds a check that rejects requests with a Content-Length greater than 128 MiB, returning a 400 Bad Request status [2].

Impact

Successful exploitation results in a complete denial of service, as the server process terminates. The CVSS 3.1 base score is 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting the ease of attack and the high availability impact [3]. No confidentiality or integrity impact is involved.

Mitigation

The vulnerability is patched in conduit-hyper version 0.4.2 and later. However, the crate is explicitly not recommended for production use or direct exposure to the public internet; it is intended only for internal use within the crates.io codebase, which itself is protected by cloud infrastructure that drops malicious requests [1][4]. Users are advised to either upgrade to 0.4.2 or, more importantly, place the server behind a production-grade reverse proxy that enforces request size limits [4].

References
  1. NVD - CVE-2022-39294
  2. Reject requests with a `Content-Length` greater than 128 MB · conduit-rust/conduit-hyper@4d225a5
  3. Denial of Service from unchecked request length › RustSec Advisory Database
  4. GitHub - conduit-rust/conduit-hyper: Integrate a conduit application with the hyper server

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
conduit-hypercrates.io
>= 0.2.0-alpha.3, < 0.4.20.4.2

Affected products

3

Patches

1
4d225a532065

Reject requests with a `Content-Length` greater than 128 MB

https://github.com/conduit-rust/conduit-hyperJustin GeibelAug 30, 2022via ghsa
commit
2 files changed · +71 1
  • README.md+15 0 modified
    @@ -3,6 +3,21 @@
 This crate integrates a `hyper 0.14` server with a `conduit 0.10` application
 stack.
 
+## Usage
+
+This crate is in maintenance mode, intended only for use within the crates.io
+codebase. If you wish to use this crate please reach out to us in the
+[issue-tracker](https://github.com/conduit-rust/conduit-hyper/issues).
+
+While some protection against large requests is provided, this server should
+not be exposed directly to the public internet. It is highly recommended that
+the server be used behind a production-grade reverse-proxy for such
+applications. 
+
+Potential security vulnerabilities should be reported per our [security policy].
+
+[security policy]: https://github.com/conduit-rust/.github/security/policy
+
 ## Error and Panic Handling
 
 If the application handler returns an `Err(_)` the server will log the
  • src/service/blocking_handler.rs+56 1 modified
    @@ -6,9 +6,17 @@ use crate::{ConduitResponse, HyperResponse};
 use std::net::SocketAddr;
 use std::sync::Arc;
 
+use conduit::header::CONTENT_LENGTH;
 use conduit::{Handler, StartInstant, StatusCode};
+use hyper::body::HttpBody;
 use hyper::{Body, Request, Response};
-use tracing::error;
+use tracing::{error, warn};
+
+/// The maximum size allowed in the `Content-Length` header
+///
+/// Chunked requests may grow to be larger over time if that much data is actually sent.
+/// See the usage section of the README if you plan to use this server in production.
+const MAX_CONTENT_LENGTH: u64 = 128 * 1024 * 1024; // 128 MB
 
 #[derive(Debug)]
 pub struct BlockingHandler<H: Handler> {
@@ -28,6 +36,10 @@ impl<H: Handler> BlockingHandler<H> {
         request: Request<Body>,
         remote_addr: SocketAddr,
     ) -> Result<HyperResponse, ServiceError> {
+        if let Err(response) = check_content_length(&request) {
+            return Ok(response);
+        }
+
         let (parts, body) = request.into_parts();
         let now = StartInstant::now();
 
@@ -69,3 +81,46 @@ fn server_error_response(message: &str) -> HyperResponse {
         .body(body)
         .expect("Unexpected invalid header")
 }
+
+/// Check for `Content-Length` values that are invalid or too large
+///
+/// If a `Content-Length` is provided then `hyper::body::to_bytes()` may try to allocate a buffer
+/// of this size upfront, leading to a process abort and denial of service to other clients.
+///
+/// This only checks for requests that claim to be too large. If the request is chunked then it
+/// is possible to allocate larger chunks of memory over time, by actually sending large volumes of
+/// data. Request sizes must be limited higher in the stack to protect against this type of attack.
+fn check_content_length(request: &Request<Body>) -> Result<(), HyperResponse> {
+    fn bad_request(message: &str) -> HyperResponse {
+        warn!("Bad request: Content-Length {}", message);
+
+        Response::builder()
+            .status(StatusCode::BAD_REQUEST)
+            .body(Body::empty())
+            .expect("Unexpected invalid header")
+    }
+
+    if let Some(content_length) = request.headers().get(CONTENT_LENGTH) {
+        let content_length = match content_length.to_str() {
+            Ok(some) => some,
+            Err(_) => return Err(bad_request("not ASCII")),
+        };
+
+        let content_length = match content_length.parse::<u64>() {
+            Ok(some) => some,
+            Err(_) => return Err(bad_request("not a u64")),
+        };
+
+        if content_length > MAX_CONTENT_LENGTH {
+            return Err(bad_request("too large"));
+        }
+    }
+
+    // A duplicate check, aligning with the specific impl of `hyper::body::to_bytes`
+    // (at the time of this writing)
+    if request.size_hint().lower() > MAX_CONTENT_LENGTH {
+        return Err(bad_request("size_hint().lower() too large"));
+    }
+
+    Ok(())
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.