CVE-2022-31394: 
NixOS vulnerability analysis and mitigation

CVE-2022-31394 affects Hyperium Hyper versions before 0.14.19. The vulnerability was discovered in May 2022 and relates to the HTTP/2 protocol implementation in the software. The issue stems from the inability to customize the maxheaderlist_size method in the H2 third-party software (CVE Details, MITRE).

The vulnerability exists because Hyper before version 0.14.19 does not allow for customization of the maxheaderlistsize method in the H2 third-party software. The default value of maxheaderlistsize in h2 is set to 16MB, which can be exploited in HTTP/2 attacks. The issue affects the SETTINGSMAXHEADERLISTSIZE parameter, which is meant to inform peers of the maximum size of header list that the sender is prepared to accept (GitHub Issue).

An attacker can exploit this vulnerability by sending continuous frames without ending, where each continuance frame is approximately 10KB. By using multiple threads to send 1023 continuance frames (about 10MB each), the attack can potentially cause memory exhaustion on the target service (GitHub Issue).

The vulnerability was fixed in Hyper version 0.14.19 by adding the ability to customize the HTTP/2 SETTINGSMAXHEADERLISTSIZE parameter. Users should upgrade to version 0.14.19 or later to address this security issue (GitHub PR).