CVE-2024-51502 MEDIUM

CVE-2024-51502: Panic Vulnerability in loona-hpack

Vendor Bearcove
Product loona
Weakness CWE-755
Published November 4, 2024
Last update November 21, 2024

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

loona is an experimental, HTTP/1.1 and HTTP/2 implementation in Rust on top of io-uring. `loona-hpack` suffers from the same vulnerability as the original `hpack` as documented in issue #11. All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. This issue has been addressed in release version 0.4.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

November 4, 2024 CVE published
November 21, 2024 Record updated