There was a vulnerability in hyper where hyper would not escape newlines from header values when writing to stream. Releases now exist as 0.9.16 and 0.10.2, please cargo update immediately.
For more details, the full report is here: hyper security vulnerability: message splitting - seanmonstar
I think it would make sense to get a CVE number for that.
(there's a typo in the code example. subbmited -> submitted)
It appears there was an issue in crates.io when I published 0.9.16, such that it failed to update the index. I've published 0.9.17 which is the exact same source code, so that people can update.