CVE-2020-15694 – This vulnerability in Nim's standard library ht... (How to Fix)

Q: What is the severity of CVE-2020-15694?

CVE-2020-15694 has a CVSS score of 7.5 (HIGH). This vulnerability in Nim's standard library httpClient allows malicious servers to provide negative Content-Length values, which the client fails to validate properly. This can lead to memory corruption, denial of service, or potentially arbitrary code execution. Applications using Nim's httpClient to fetch data from untrusted sources are affected.

📋 TL;DR

This vulnerability in Nim's standard library httpClient allows malicious servers to provide negative Content-Length values, which the client fails to validate properly. This can lead to memory corruption, denial of service, or potentially arbitrary code execution. Applications using Nim's httpClient to fetch data from untrusted sources are affected.

💻 Affected Systems

Products:

Nim programming language standard library

Versions: Nim 1.2.4 and earlier versions

Operating Systems: All platforms where Nim runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications using the httpClient module's contentLength() method or similar response parsing are vulnerable.

📦 What is this software?

Nim by Nim Lang

View all CVEs affecting Nim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through memory corruption when processing malformed server responses, potentially allowing full system compromise.

🟠

Likely Case

Denial of service through application crashes or resource exhaustion when processing invalid Content-Length values.

🟢

If Mitigated

Application instability or crashes without privilege escalation if proper sandboxing and input validation are in place.

🌐 Internet-Facing: HIGH - Applications fetching data from external servers are directly exposed to malicious responses.

🏢 Internal Only: MEDIUM - Internal services could still be vulnerable if they fetch data from compromised internal servers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires controlling the server response or intercepting client-server communication. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nim 1.2.6 and later

Vendor Advisory: https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html

Restart Required: No

Instructions:

1. Update Nim to version 1.2.6 or later. 2. Recompile all applications using the httpClient module. 3. Redeploy updated applications.

🔧 Temporary Workarounds

Input validation wrapper

all

Add custom validation for Content-Length values before processing

# In Nim code, add validation:
let contentLen = client.get().contentLength()
if contentLen < 0:
    raise newException(ValueError, "Invalid Content-Length")

Use alternative HTTP library

all

Replace httpClient with a third-party HTTP library that properly validates responses

# Add alternative HTTP library via Nimble:
nimble install httpbeast

🧯 If You Can't Patch

Implement network segmentation to restrict httpClient access to trusted servers only
Deploy web application firewalls to inspect and block malicious server responses

🔍 How to Verify

Check if Vulnerable:

Check if application uses Nim's httpClient module and runs on Nim <=1.2.4

Check Version:

nim --version

Verify Fix Applied:

Verify Nim version is >=1.2.6 and test with negative Content-Length responses

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unusual Content-Length values in HTTP logs

Network Indicators:

HTTP responses with negative Content-Length headers
Unusual traffic patterns to/from Nim applications

SIEM Query:

source="http_logs" AND content_length < 0

📊 Metadata

CVE ID: CVE-2020-15694

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-20

Published: August 14, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/02/04/2 Exploit,Mailing List,Third Party Advisory
https://consensys.net/diligence/vulnerabilities/nim-httpclient-header-crlf-injection/ Exploit,Third Party Advisory
https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/httpclient.nim#L241 Patch,Third Party Advisory
https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html Release Notes,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/02/04/2 Exploit,Mailing List,Third Party Advisory
https://consensys.net/diligence/vulnerabilities/nim-httpclient-header-crlf-injection/ Exploit,Third Party Advisory
https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/httpclient.nim#L241 Patch,Third Party Advisory
https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15694, you might also want to check these: