—

RUSTSEC-2026-0181

DoS vulnerability in HTTP/1.x chunked encoding parser triggered by maliciously crafted chunk lengths

Details

When using the affected versions of the `vibeio-http` crate, an attacker could craft a malicious HTTP/1.x request with a large chunk length (between `usize::MAX - 1` and `usize::MAX` inclusive) and send it, causing the server to crash (integer overflow panic in debug builds, split_to out of bounds panic in release builds).

This was fixed in `vibeio-http` 0.3.2 by erroring on the chunk length if it exceeds `usize::MAX - 2` (using `checked_add()` instead of `+` operator), preventing integer overflow.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / vibeio-http

Introduced in: 0.0.0-0 Fixed in: 0.3.2

Upgrade vibeio-http to 0.3.2 or newer (ecosystem crates.io).

References

https://crates.io/crates/vibeio-http [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0181.html [ADVISORY]
https://github.com/ferronweb/vibeio-http/blob/main/CHANGELOG.md#vibeio-http-032 [WEB]