CVE-2024-23644

Summary

CVE-2024-23644 is a vulnerability affecting the `trillium-http` and `trillium-client` components of the Trillium toolkit, used for building internet applications with Rust. Prior to versions 0.3.12 and 0.5.4 respectively, these components failed to adequately validate outbound header values. In instances where attackers can manipulate headers, they could exploit this issue to initiate request or response splitting attacks, potentially leading to data exfiltration or other unauthorized activities. The vulnerability arises due to unchecked construction and transmission of `trillium_http::HeaderValue` and `trillium_http::HeaderName`, which can include illegal bytes such as carriage return and newline sequences. In later versions, Trillium has implemented stricter validation checks to prevent such attacks. As a mitigation measure, developers are advised to sanitize or validate user-supplied input that is incorporated into headers.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.