An integer overflow panic in vibeio-http’s chunked encoding parser lets an attacker bring down servers by sending a single crafted HTTP request with a chunk length between usize::MAX - 1 and usize::MAX inclusive. No authentication required.
The Bug: Integer Overflow in Chunked Decoding
vibeio-http 0.3.1 and earlier use the plain + operator when parsing HTTP/1.x chunked transfer encoding lengths. If the chunk length falls in the range usize::MAX - 1 to usize::MAX, the addition overflows. In debug builds, Rust’s overflow check panics immediately. In release builds, split_to then reads an out-of-bounds index, causing a panic there instead.
This is a straightforward denial-of-service vector: send one request, server goes down. No memory corruption or data leak, but service disruption is trivially achieved.
The Fix: checked_add() Instead of +
The advisory, filed in the rustsec advisory-db, notes that vibeio-http 0.3.2 fixes the issue by using checked_add() and erroring out if the chunk length exceeds usize::MAX - 2. That one-character change—+ to checked_add()—breaks the attack.
If you're running vibeio-http below 0.3.2, patch now. If you're writing your own HTTP parser in Rust, this is a reminder that Rust's memory safety guarantees don't catch logic bugs in arithmetic—you still have to handle overflow explicitly in security-critical parsing loops.
Source: chore: add security advisory for vibeio-http chunked encoding DoS
Domain: github.com
Comments load interactively on the live page.