This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate actix-http

Dependencies

(32 total, 6 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-codec^0.50.5.2up to date
 actix-rt^2.22.10.0up to date
 actix-service^22.0.2up to date
 actix-tls^3.13.4.0up to date
 actix-utils^33.0.1up to date
 ahash^0.80.8.11up to date
 base64^0.210.22.1out of date
 bitflags^22.6.0up to date
 brotli^3.3.37.0.0out of date
 bytes^11.8.0up to date
 bytestring^11.3.1up to date
 derive_more^0.99.51.0.0out of date
 encoding_rs^0.80.8.35up to date
 flate2^1.0.131.0.34up to date
 futures-core^0.3.170.3.31up to date
 h2 ⚠️^0.3.170.4.6out of date
 http^0.2.71.1.0out of date
 httparse^1.5.11.9.5up to date
 httpdate^1.0.11.0.3up to date
 itoa^11.0.11up to date
 language-tags^0.30.3.2up to date
 local-channel^0.10.1.5up to date
 mime^0.3.40.3.17up to date
 percent-encoding^2.12.3.1up to date
 pin-project-lite^0.20.2.15up to date
 rand^0.80.8.5up to date
 sha1^0.100.10.6up to date
 smallvec^1.6.11.13.2up to date
 tokio^1.24.21.41.0up to date
 tokio-util^0.70.7.12up to date
 tracing^0.1.300.1.40up to date
 zstd^0.120.13.2out of date

Security Vulnerabilities

h2: Degradation of service in h2 servers with CONTINUATION Flood

RUSTSEC-2024-0332

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.