HTTP Request Smuggling The advisory has been revoked - it doesn't affect any version of package tiny-http  (opens in a new tab)


Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
1.07% (61st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-TINYHTTP-569106
  • published16 Jun 2020
  • disclosed16 Jun 2020
  • creditSam Sanoop of Snyk Security Team

Introduced: 16 Jun 2020

CVE-2020-35884  (opens in a new tab)
CWE-200  (opens in a new tab)
First added by Snyk

Amendment

This was deemed not a vulnerability.

Overview

tiny-http is a Low level HTTP server library

Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing.

It is possible conduct HTTP request smuggling attacks (CL:TE/TE:TE) by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.