RUSTSEC-2024-0009: 
Rust vulnerability analysis and mitigation

RUSTSEC-2024-0009 (CVE-2024-23644) is a high-severity vulnerability affecting the trillium-http (versions < 0.3.12) and trillium-client (versions < 0.5.4) Rust packages. The vulnerability was discovered by divergentdave and was patched on January 24, 2024. The issue involves insufficient validation of outbound header values that could lead to request splitting or response splitting attacks (GitHub Advisory).

The vulnerability stems from insufficient validation of outbound header values and names in both trillium-http and trillium-client packages. The HeaderValue and HeaderName could be constructed infallibly without proper checks for illegal bytes during request/response transmission. This could allow attackers to inject \r\n sequences if they have control over header values or names, potentially leading to request/response splitting attacks (GitHub Advisory).

If exploited, this vulnerability could allow attackers to get the client and server out of sync, potentially leading to data exfiltration from other requests or Server-Side Request Forgery (SSRF) attacks. The impact is significant in scenarios where attackers have sufficient control over outbound headers and can insert \r\n sequences (GitHub Advisory).

The vulnerability has been patched in trillium-http version 0.3.12 and trillium-client version 0.5.4. For trillium-http, invalid header names and values in server responses are now omitted from network transmission. For trillium-client, if any header name or value is invalid, the client returns an Error::MalformedHeader before network access. As a workaround, applications should sanitize or validate untrusted input used in header values and names, ensuring carriage return, newline, and null characters are not allowed (GitHub Advisory).