Wiz
Vulnerability DatabaseCVE-2024-23644

CVE-2024-23644
Rust vulnerability analysis and mitigation

Overview

Trillium, a composable toolkit for building internet applications with async rust, disclosed a vulnerability (CVE-2024-23644) affecting trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4. The vulnerability was discovered by divergentdave and reported to the maintainers, with patches issued within 24 hours of acknowledgment on January 23, 2024 (Vendor Advisory).

Technical details

The vulnerability stems from insufficient validation of outbound header values in both request and response handling. The trillium_http::HeaderValue and trillium_http::HeaderName could be constructed infallibly without proper validation of illegal bytes during request sending from the client or response sending from the server. This vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) by NVD with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, while GitHub assessed it at 6.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

Impact

The vulnerability could allow attackers to perform request splitting or response splitting attacks if they gain sufficient control over header values or names. This could potentially lead to the client and server becoming out of sync, enabling attackers to pivot and gain control over other parts of requests or responses. The impact could include data exfiltration from other requests and Server-Side Request Forgery (SSRF) attacks (Vendor Advisory).

Mitigation and workarounds

For trillium-http version 0.3.12 and later, invalid header names and their associated values are omitted from network transmission in server response headers. Individual invalid header values are also omitted while maintaining other valid values with the same header name. In trillium-client version 0.5.4 and later, if any header name or value is invalid in client request headers, the client returns an Error::MalformedHeader before network access. As a workaround, applications should sanitize or validate untrusted input in header values and names, ensuring carriage return, newline, and null characters are not allowed (Vendor Advisory).

Additional resources

SourceThis report was generated using AI

Related Rust vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22863CRITICAL9.2
  • RustRust
  • deno
NoYesJan 15, 2026
CVE-2026-23519HIGH8.9
  • RustRust
  • yazi
NoYesJan 15, 2026
RUSTSEC-2026-0003HIGH8.9
  • RustRust
  • cmov
NoYesJan 14, 2026
CVE-2026-22864HIGH8.1
  • RustRust
  • deno
NoYesJan 15, 2026
CVE-2026-22782LOW2.9
  • RustRust
  • rustfs
NoYesJan 16, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo