This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate actix-web-actors

Dependencies

(7 total, 6 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 actix^0.9.00.13.3out of date
 actix-codec ⚠️^0.2.00.5.2out of date
 actix-http ⚠️^1.0.13.6.0out of date
 actix-web^2.0.0-rc4.5.1out of date
 bytes^0.5.21.6.0out of date
 futures^0.3.10.3.30up to date
 pin-project^0.4.61.1.5out of date

Dev dependencies

(2 total, 2 outdated)

CrateRequiredLatestStatus
 actix-rt^1.0.02.9.0out of date
 env_logger^0.60.11.3out of date

Security Vulnerabilities

actix-http: Use-after-free in BodyStream due to lack of pinning

RUSTSEC-2020-0048

Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the trait MessageBody require Unpin and making poll_next() function accept Pin<&mut Self> instead of &mut self.

actix-codec: Use-after-free in Framed due to lack of pinning

RUSTSEC-2020-0049

Affected versions of this crate did not require the buffer wrapped in Framed to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the affected functions accept Pin<&mut Self> instead of &mut self.

actix-http: Potential request smuggling capabilities due to lack of input validation

RUSTSEC-2021-0081

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.