cvedb.io
CVE-2022-39294
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2022-10-31T19:15:10.593 · Last modified 2026-06-17T04:58:05.317

Summary

conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send a malicious request with an abnormally large `Content-Length`, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per request, otherwise returning status 400 ("Bad Request"). This crate is part of the implementation of Rust's [crates.io](https://crates.io/), but that service is not affected due to its existing cloud infrastructure, which already drops such malicious requests. Even with the new limit in place, `conduit-hyper` i

Affected products

conduit-hyper_project — conduit-hyper

Does this affect you?

Add your gear to cvedb and we'll alert you only when conduit-hyper_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.