CVE intelligence and bounded remediation
CVE-2020-26281 — async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io)
async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io). There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body. One way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request. Another potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients' requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user's request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adver…
- Severity
- High
- CVSS
- 7.5 (3.1)
- Published
- 2020-12-21
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-444
Affected products
- rust-lang / async-h1
Matched remediation archetype
HTTP request smuggling and message-boundary ambiguity
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Inventory every proxy, CDN, gateway, load balancer, service mesh, and application server hop on affected request paths.
- Compare documented parsing and normalization behavior for message length, transfer coding, duplicate headers, and protocol translation.
- Identify connection reuse and which downstream services trust headers added by intermediaries.
Remediate safely
- Update affected intermediaries and origin servers and align them on a single standards-compliant request framing policy.
- Reject ambiguous length, transfer-coding, duplicate, malformed, and unsupported framing before forwarding.
- Normalize or remove hop-by-hop and identity headers at one controlled boundary and add multi-hop regression tests.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.