Deps.rs

actix-http 3.0.0-beta.13

[![dependency status](https://deps.rs/crate/actix-http/3.0.0-beta.13/status.svg)](https://deps.rs/crate/actix-http/3.0.0-beta.13)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate actix-http

Dependencies

(32 total, 11 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-codec^0.4.10.5.2out of date
 actix-rt^2.22.10.0up to date
 actix-service^2.0.02.0.3up to date
 actix-tls^3.0.0-beta.93.4.0up to date
 actix-utils^3.0.03.0.1up to date
 ahash^0.70.8.11out of date
 base64^0.130.22.1out of date
 bitflags^1.22.9.0out of date
 brotli2^0.3.20.3.2up to date
 bytes^11.10.1up to date
 bytestring^11.4.0up to date
 derive_more^0.99.52.0.1out of date
 encoding_rs^0.80.8.35up to date
 flate2^1.0.131.1.0up to date
 futures-core^0.3.70.3.31up to date
 futures-util^0.3.70.3.31up to date
 h2 ⚠️^0.3.10.4.8out of date
 http^0.2.51.2.0out of date
 httparse^1.5.11.10.1up to date
 httpdate^1.0.11.0.3up to date
 itoa^0.41.0.15out of date
 language-tags^0.30.3.2up to date
 local-channel^0.10.1.5up to date
 log^0.40.4.26up to date
 mime^0.30.3.17up to date
 percent-encoding^2.12.3.1up to date
 pin-project^1.0.01.1.10up to date
 pin-project-lite^0.20.2.16up to date
 rand^0.80.9.0out of date
 sha-1^0.90.10.1out of date
 smallvec^1.6.11.14.0up to date
 zstd^0.90.13.3out of date

Security Vulnerabilities

h2: Degradation of service in h2 servers with CONTINUATION Flood

RUSTSEC-2024-0332

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.