diff --git a/crates/hyper/RUSTSEC-0000-0000.toml b/crates/hyper/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..ff01c88
--- /dev/null
+++ b/crates/hyper/RUSTSEC-0000-0000.toml
@@ -0,0 +1,27 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hyper"
+date = "2020-03-19"
+title = "Flaw in hyper allows request smuggling by sending a body in GET requests"
+url = "https://github.com/hyperium/hyper/issues/1925"
+categories = ["format-injection"]
+keywords = ["http", "request-smuggling"]
+
+description = """
+Vulnerable versions of hyper allow GET requests to have bodies, even if there is
+no Transfer-Encoding or Content-Length header.  As per the HTTP 1.1
+specification, such requests do not have bodies, so the body will be interpreted
+as a separate HTTP request.
+
+This allows an attacker who can control the body and method of an HTTP request
+made by hyper to inject a request with headers that would not otherwise be
+allowed, as demonstrated by sending a malformed HTTP request from a Substrate
+runtime.  This allows bypassing CORS restrictions.  In combination with other
+vulnerabilities, such as an exploitable web server listening on loopback, it may
+allow remote code execution.
+
+The flaw was corrected in hyper version 0.12.35.
+"""
+
+[versions]
+patched = [">= 0.12.35"]