rustsec-2026-0174
Vulnerability from osv_rustsec
Authorization::value uses HeaderValue::value with the claim
that the internal string is ASCII, but Authorization::new and
Authorization::set_credentials accept arbitrary String credentials without
validation. As a result, safe code can construct a header value containing
non-ASCII UTF-8 while the implementation assumes ASCII.
WwwAuthenticate::new and WwwAuthenticate::set_realm similarly accepts arbitrary String input, so WwwAuthenticate::value can also produce a header value that violates the crate’s documented ASCII invariants.
This issue has not been confirmed as Undefined Behavior, but the unsafe
justification in Authorization::value and WwwAuthenticate::value appears incorrect and can produce values outside the expected ASCII-only constraints.
The http-types crate is unmaintained and the issue is unlikely to be fixed.
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "notice"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "http-types",
"purl": "pkg:cargo/http-types"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`Authorization::value` uses `HeaderValue::value` with the claim\nthat the internal string is ASCII, but `Authorization::new` and\n`Authorization::set_credentials` accept arbitrary `String` credentials without\nvalidation. As a result, safe code can construct a header value containing\nnon-ASCII UTF-8 while the implementation assumes ASCII.\n\n`WwwAuthenticate::new` and `WwwAuthenticate::set_realm` similarly accepts arbitrary `String` input, so `WwwAuthenticate::value` can also produce a header value that violates the crate\u2019s documented ASCII invariants. \n\nThis issue has not been confirmed as Undefined Behavior, but the unsafe\njustification in `Authorization::value` and `WwwAuthenticate::value` appears incorrect and can produce values outside the expected ASCII-only constraints.\n\nThe http-types crate is unmaintained and the issue is unlikely to be fixed.",
"id": "RUSTSEC-2026-0174",
"modified": "2026-06-08T16:24:35Z",
"published": "2026-03-11T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/http-types"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0174.html"
},
{
"type": "REPORT",
"url": "https://github.com/http-rs/http-types/issues/534"
}
],
"related": [],
"severity": [],
"summary": "`Authorization::value` and `WwwAuthenticate::value` can violate ASCII invariants"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.