CVE-2022-39294: 
Rust vulnerability analysis and mitigation

The vulnerability (CVE-2022-39294) affects conduit-hyper, a package that integrates conduit applications with the hyper server, in versions prior to 0.4.2. The vulnerability was discovered by Ori Hollander from the JFrog Security Research team and was disclosed on October 30, 2022. The issue affects all versions from 0.2.0-alpha.3 up to, but not including, version 0.4.2 (GitHub Advisory).

The vulnerability stems from conduit-hyper's failure to implement request length validation before calling hyper::body::to_bytes. The severity is rated as HIGH with a CVSS v3.1 base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1284 (Improper Validation of Specified Quantity in Input) (NVD).

An attacker could exploit this vulnerability by sending a malicious request with an abnormally large Content-Length, potentially causing a panic if memory allocation fails for that request. While this package is part of Rust's crates.io implementation, that service remains unaffected due to its cloud infrastructure, which already filters such malicious requests (GitHub Advisory).

The vulnerability was patched in version 0.4.2, which implements an internal limit of 128 MiB per request and returns a status 400 ("Bad Request") when exceeded. However, even with this fix, the developers explicitly state that conduit-hyper is not recommended for production use or direct exposure to the public Internet (GitHub Advisory).