GHSA-f67m-9j94-qv9j: 
Rust vulnerability analysis and mitigation

A high severity vulnerability was identified in the Hyper crate (Rust) affecting versions prior to 0.14.12. The vulnerability involves unsound usage of mem::uninitialized() in the HTTP1 parser when creating values of type httparse::Header. The issue was discovered and disclosed in June 2022, impacting the core HTTP parsing functionality of the Hyper library (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the improper initialization of memory in the HTTP1 parser. Specifically, the code called mem::uninitialized() to create values of type httparse::Header from the httparse crate. This implementation was deemed unsound because Header contains references that must be non-null, making the use of uninitialized memory inappropriate for this type (RustSec Advisory).

The use of uninitialized memory in reference types could lead to undefined behavior in Rust programs using the affected versions of Hyper. This is particularly concerning as Hyper is a foundational HTTP library in the Rust ecosystem, potentially affecting numerous dependent applications (GitHub Advisory).

The vulnerability was patched in version 0.14.12 of the Hyper crate. The fix involved replacing the usage of mem::uninitialized() with MaybeUninit, which provides a safe way to handle uninitialized memory. Users are advised to upgrade to version 0.14.12 or later to resolve this security issue (GitHub PR, RustSec Advisory).