A CVE has been issued for hyper. Denial of Service possible

• h2

  8 1,321 7.7 Rust

  HTTP 2.0 client & server implementation for Rust.

  

But they've also known about the issue for almost a year. In the h2 issue, they were alerted in no uncertain terms that it carried a DDoS risk. Other people also requested a CVE in public.

• hyper

  100 13,957 9.2 Rust

  An HTTP library for Rust (by hyperium)

  

The fact that this issue was open for almost a year doesn't indicate much attention to security. There are also some other issues issue open which look like the would enable simmilar attacks.

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• advisory-database

  11 1,643 10.0

  Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

  

Yep, you can see the history here: https://github.com/github/advisory-database/commits/main/advisories/github-reviewed/2023/04/GHSA-f8vr-r385-rh5r/GHSA-f8vr-r385-rh5r.json

• GHSA-f8vr-r385-rh5r

  2 - -

• napkin-math

  13 3,117 6.3 Rust

  Techniques and numbers for estimating system's performance from first-principles

So napkin maths time. Typical cross-world bog-standard network speeds for a single TCP channel of ~25MiBps. A single HEADERS+RST pair is likely < 128 bytes (40 for the HEADERS + whatever payload, and 32 for the RST). So 8 pairs per K, 8K pairs per MiB, 200K pairs per 25MiB...

• rustsec

  33 1,532 9.5 Rust

  RustSec API & Tooling

  

PSA: before filing CVEs for other people's projects, file an issue with https://rustsec.org instead

Suggest a related project