GHSA-f67m-9j94-qv9j: Parser creates invalid uninitialized value

June 16, 2022

Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null.

The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.

References

github.com/advisories/GHSA-f67m-9j94-qv9j
github.com/hyperium/hyper
github.com/hyperium/hyper/pull/2545
rustsec.org/advisories/RUSTSEC-2022-0022.html

Code Behaviors & Features

Detect and mitigate GHSA-f67m-9j94-qv9j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →