Update Rust crate actix-http to v3.12.1 [SECURITY]#194
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.12.0→3.12.1actix-http has HTTP/1.1 CL.TE Request Smuggling
GHSA-xhj4-vrgc-hr34
More information
Details
A vulnerability in
actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whetherContent-LengthorTransfer-Encoding: chunkeddefines the request body length.Severity
Medium.
This is an HTTP request smuggling vulnerability that can be triggered over the network without application-level credentials. Exploitation requires a specific proxy topology: an upstream proxy, WAF, load balancer, or similar intermediary must use
Content-Lengthframing while forwarding the conflictingTransfer-Encoding: chunkedrequest to an Actix backend over a reused HTTP/1.1 connection.Affected Versions
actix-http: versions up to and including 3.12.0Description
HTTP/1.1 requests that contain both
Content-LengthandTransfer-Encoding: chunkedare ambiguous and must be rejected by recipients to avoid request smuggling.Affected versions of
actix-httpaccepted a request with a syntactically validContent-Lengthheader andTransfer-Encoding: chunkedon the same HTTP/1.1 message. The parser then selected chunked decoding instead of rejecting the conflicting framing signals.In a CL.TE proxy topology, an intermediary may treat bytes after the declared
Content-Lengthbody as part of the first request, while the Actix backend stops at the terminating chunk marker and parses the remaining bytes on the backend connection as a second HTTP request. This creates a backend-side request desynchronization primitive.The issue is limited to HTTP/1.1 request parsing.
Impact
HTTP request smuggling
actix-httpversions behind an HTTP/1.1 intermediary that forwards ambiguousContent-LengthplusTransfer-Encoding: chunkedrequests and reuses backend connections.No direct confidentiality, availability, or subsequent-system impact is scored for this advisory.
Fixed Versions
This issue is fixed in actix-http 3.12.1.
The fix rejects HTTP/1.1 requests that contain both
Content-LengthandTransfer-Encoding: chunkedinstead of choosing one framing interpretation.Mitigation
Users should upgrade to actix-http 3.12.1 or later.
Applications that depend on
actix-httpthroughactix-web,awc, or another Actix crate should ensure dependency resolution selectsactix-http3.12.1 or later. For example:If an immediate upgrade is not possible, configure all upstream HTTP intermediaries to reject HTTP/1.1 requests that contain both
Content-LengthandTransfer-Encoding, and avoid forwarding ambiguous request framing to Actix backends.Credits
Actix thanks mufeedvh who disclosed this issue through coordinated disclosure.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.