This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate actix-files

Dependencies

(12 total, 8 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-http ⚠️^0.2.113.9.0out of date
 actix-service^0.4.12.0.2out of date
 actix-web^1.0.84.9.0out of date
 bitflags^12.6.0out of date
 bytes^0.41.8.0out of date
 derive_more^0.15.01.0.0out of date
 futures^0.1.250.3.31out of date
 log^0.40.4.22up to date
 mime^0.30.3.17up to date
 mime_guess^2.0.12.0.5up to date
 percent-encoding^2.12.3.1up to date
 v_htmlescape^0.40.15.8out of date

Dev dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 actix-web^1.0.84.9.0out of date

Security Vulnerabilities

actix-http: Use-after-free in BodyStream due to lack of pinning

RUSTSEC-2020-0048

Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the trait MessageBody require Unpin and making poll_next() function accept Pin<&mut Self> instead of &mut self.

actix-http: Potential request smuggling capabilities due to lack of input validation

RUSTSEC-2021-0081

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.