RUSTSEC-2021-0079: 
Rust vulnerability analysis and mitigation

hyper, an HTTP library for Rust, was found to contain a vulnerability (CVE-2021-32714/RUSTSEC-2021-0079) in versions prior to 0.14.10. The vulnerability involves an integer overflow issue in the HTTP server and client code when decoding chunk sizes that are too large. This security flaw was discovered by Mattias Grenfeldt and Asta Olofsson and was publicly disclosed on July 7, 2021 (GitHub Advisory).

The vulnerability occurs when processing HTTP/1.1 chunked transfer-encoding requests or responses. The flaw lies in hyper's handling of chunk sizes, where it only reads the rightmost 64-bit integer as the chunk size. For example, in a chunk size of 'f0000000000000003', hyper would only read it as '3', potentially leading to incorrect data processing (GitHub Advisory).

The vulnerability can result in two primary impacts: data loss due to improper truncation of body content, and potential request smuggling or desync attacks when used with an upstream proxy that handles chunk sizes differently. The issue specifically affects HTTP/1.1 communications, as HTTP/2 does not use chunked encoding and is therefore not vulnerable (GitHub Advisory).

The vulnerability has been patched in version 0.14.10 of hyper. For those unable to upgrade immediately, two workarounds are available: 1) reject requests manually that contain a Transfer-Encoding header, or 2) ensure any upstream proxy rejects Transfer-Encoding chunk sizes greater than what fits in 64-bit unsigned integers (GitHub Advisory, Debian Tracker).