CVE-2023-26044 – ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits
https://notcve.org/view.php?id=CVE-2023-26044
react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. • https://github.com/reactphp/http/commit/9681f764b80c45ebfb5fe2ea7da5bd3babfcdcfd https://github.com/reactphp/http/security/advisories/GHSA-95x4-j7vc-h8mf • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-36032 – ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
https://notcve.org/view.php?id=CVE-2022-36032
ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. This issue is fixed in ReactPHP HTTP version 1.7.0. As a workaround, Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers. • https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 https://github.com/reactphp/http/pull/175 https://github.com/reactphp/http/releases/tag/v1.7.0 https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8 • CWE-20: Improper Input Validation CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVE-2019-25009
https://notcve.org/view.php?id=CVE-2019-25009
An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness. Se detectó un problema en la crate http versiones anteriores a 0.1.20 para Rust. La API de la función HeaderMap::Drain puede usar un puntero sin procesar, derrotando la solidez. • https://rustsec.org/advisories/RUSTSEC-2019-0034.html • CWE-415: Double Free •
CVE-2020-35669
https://notcve.org/view.php?id=CVE-2020-35669
An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request. Se detectó un problema en el paquete http versiones hasta 0.12.2 para Dart. Si el atacante controla el método HTTP y la aplicación está usando una Request directamente, es posible lograr una inyección de CRLF en una petición HTTP • https://github.com/n0npax/CVE-2020-35669 https://github.com/dart-lang/http/blob/master/CHANGELOG.md#0133 https://github.com/dart-lang/http/issues/511 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2020-25574
https://notcve.org/view.php?id=CVE-2020-25574
An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop). Se detectó un problema en la crate http versiones anteriores a 0.1.20 para Rust. Un desbordamiento de enteros en la función HeaderMap::reserve() podría resultar en denegación de servicio (por ejemplo, un bucle infinito) • https://github.com/hyperium/http/issues/352 https://rustsec.org/advisories/RUSTSEC-2019-0033.html • CWE-190: Integer Overflow or Wraparound CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •