Skip to site navigation (Press enter)
[FD] Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed
Tag</span></a></span> </h1> <p class="darkgray font13"> <span class="sender pipe"><a href="/search?l=fulldisclosure@seclists.org&q=from:%22Brian+Carpenter+via+Fulldisclosure%22" rel="nofollow"><span itemprop="author" itemscope itemtype="http://schema.org/Person"><span itemprop="name">Brian Carpenter via Fulldisclosure</span></span></a></span> <span class="date"><a href="/search?l=fulldisclosure@seclists.org&q=date:20250625" rel="nofollow">Wed, 25 Jun 2025 21:58:13 -0700</a></span> </p> </div> <div itemprop="articleBody" class="msgBody"> <!--X-Body-of-Message--> <pre>Hey list, You can remotely crash httpx v1.7.0 (by ProjectDiscovery) by serving a malformed <title> tag on your website. The bug is a classic out-of-bounds read in trimTitleTags() due to a missing bounds check when slicing the title string. It panics with:</pre><pre> panic: runtime error: slice bounds out of range [9:6] Affects anyone using httpx in their automated scanning pipeline. One malformed HTML response = scanner down. Unit testing or fuzzing this function would’ve caught it in 5 minutes. But it’s “just a bug.” 😂 💥 Trigger input: <title</></title>0 📍 Vulnerable code: func trimTitleTags(title string) string { titleBegin := strings.Index(title, ">") titleEnd := strings.Index(title, "</") if titleEnd < 0 || titleBegin < 0 { return title } return title[titleBegin+1 : titleEnd] // ← PANIC here } ✅ Fix: <a rel="nofollow" href="https://github.com/projectdiscovery/httpx/pull/2198">https://github.com/projectdiscovery/httpx/pull/2198</a> 📂 PoC + context: <a rel="nofollow" href="https://github.com/projectdiscovery/httpx/issues/2197">https://github.com/projectdiscovery/httpx/issues/2197</a> Crash scanners. Create blind spots. Chain with HTML injection. Happy hunting. Stay glitchy, —geeknik _______________________________________________ Sent through the Full Disclosure mailing list <a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a> Web Archives & RSS: <a rel="nofollow" href="https://seclists.org/fulldisclosure/">https://seclists.org/fulldisclosure/</a></pre> </div> <div class="msgButtons margintopdouble"> <ul class="overflow"> <li class="msgButtonItems"><a class="button buttonleft " accesskey="p" href="msg09001.html">Previous message</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="c" href="index.html#09002">View by thread</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="i" href="maillist.html#09002">View by date</a></li> <li class="msgButtonItems textalignright"><a class="button buttonright " accesskey="n" href="msg09003.html">Next message</a></li> </ul> </div> <a name="tslice"></a> <div class="tSliceList margintopdouble"> <ul class="icons monospace"> </ul> </div> <div class="overflow msgActions margintopdouble"> <div class="msgReply" > <h2> Reply via email to </h2> <form method="POST" action="/mailto.php"> <input type="hidden" name="subject" value="[FD] Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed <title> Tag"> <input type="hidden" name="msgid" value="SKw_ToHIuGYva1PSf5wyhtjsAF3lJsdULyyEJXoci7eNUXAHVfX9xfir2ESPsbFoSHSW5muf3n20U1ny-TnWmhrbHo8-6yy-1Qi7wVc17Ko=@protonmail.ch"> <input type="hidden" name="relpath" value="fulldisclosure@seclists.org/msg09002.html"> <input type="submit" value=" Brian Carpenter via Fulldisclosure "> </form> </div> </div> </div> <div class="aside" role="complementary"> <div class="logo"> <a href="/"><img src="/logo.png" width=247 height=88 alt="The Mail Archive"></a> </div> <form class="overflow" action="/search" method="get"> <input type="hidden" name="l" value="fulldisclosure@seclists.org"> <label class="hidden" for="q">Search the site</label> <input class="submittext" type="text" id="q" name="q" placeholder="Search fulldisclosure"> <input class="submitbutton" name="submit" type="image" src="/submit.png" alt="Submit"> </form> <div class="nav margintop" id="nav" role="navigation"> <ul class="icons font16"> <li class="icons-home"><a href="/">The Mail Archive home</a></li> <li class="icons-list"><a href="/fulldisclosure@seclists.org/">fulldisclosure - all messages</a></li> <li class="icons-about"><a href="/fulldisclosure@seclists.org/info.html">fulldisclosure - about the list</a></li> <li class="icons-expand"><a href="/search?l=fulldisclosure@seclists.org&q=subject:%22%5C%5BFD%5C%5D+Remote+DoS+in+httpx+1.7.0+%E2%80%93+Out%5C-of%5C-Bounds+Read+via+Malformed+%3Ctitle%3E+Tag%22&o=newest&f=1" title="e" id="e">Expand</a></li> <li class="icons-prev"><a href="msg09001.html" title="p">Previous message</a></li> <li class="icons-next"><a href="msg09003.html" title="n">Next message</a></li> </ul> </div> <div class="listlogo margintopdouble"> </div> <div class="margintopdouble"> </div> </div> </div> <div class="footer" role="contentinfo"> <ul> <li><a href="/">The Mail Archive home</a></li> <li><a href="/faq.html#newlist">Add your mailing list</a></li> <li><a href="/faq.html">FAQ</a></li> <li><a href="/faq.html#support">Support</a></li> <li><a href="/faq.html#privacy">Privacy</a></li> <li class="darkgray">SKw_ToHIuGYva1PSf5wyhtjsAF3lJsdULyyEJXoci7eNUXAHVfX9xfir2ESPsbFoSHSW5muf3n20U1ny-TnWmhrbHo8-6yy-1Qi7wVc17Ko=@protonmail.ch</li> </ul> </div> </body> </html> <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9d0d67addb94bde9',t:'MTc3MTU4NDIyNw=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script>