Deps.rs

actix-http 3.0.0-beta.19

[![dependency status](https://deps.rs/crate/actix-http/3.0.0-beta.19/status.svg)](https://deps.rs/crate/actix-http/3.0.0-beta.19)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate actix-http

Dependencies

(30 total, 8 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-codec^0.4.10.5.2out of date
 actix-rt^2.22.9.0up to date
 actix-service^2.0.02.0.2up to date
 actix-tls^3.0.03.3.0up to date
 actix-utils^3.0.03.0.1up to date
 ahash^0.70.8.11out of date
 base64^0.130.22.0out of date
 bitflags^1.22.5.0out of date
 brotli^3.3.35.0.0out of date
 bytes^11.6.0up to date
 bytestring^11.3.1up to date
 derive_more^0.99.50.99.17up to date
 encoding_rs^0.80.8.34up to date
 flate2^1.0.131.0.28up to date
 futures-core^0.3.70.3.30up to date
 h2 ⚠️^0.3.90.4.4out of date
 http^0.2.51.1.0out of date
 httparse^1.5.11.8.0up to date
 httpdate^1.0.11.0.3up to date
 itoa^11.0.11up to date
 language-tags^0.30.3.2up to date
 local-channel^0.10.1.5up to date
 log^0.40.4.21up to date
 mime^0.30.3.17up to date
 percent-encoding^2.12.3.1up to date
 pin-project-lite^0.20.2.14up to date
 rand^0.80.8.5up to date
 sha-1^0.100.10.1up to date
 smallvec^1.6.11.13.2up to date
 zstd^0.90.13.1out of date

Security Vulnerabilities

h2: Degradation of service in h2 servers with CONTINUATION Flood

RUSTSEC-2024-0332

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.