This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate attohttpc


(17 total, 5 outdated, 1 insecure)

 encoding_rs^ to date
 encoding_rs_io^ to date
 flate2^ to date
 http^ to date
 log^ to date
 mime^ to date
 multipart^ to date
 native-tls^ to date
 rustls^ of date
 serde^11.0.125up to date
 serde_json^11.0.64up to date
 serde_urlencoded^ of date
 url^22.2.1up to date
 webpki^ of date
 webpki-roots^ of date
 wildmatch^12.1.0out of date

Dev dependencies

(8 total, 5 outdated, 2 insecure)

 anyhow^11.0.40up to date
 env_logger^ of date
 futures^ to date
 tokio^ of date
 tokio-rustls^ of date
 warp^ of date

Security Vulnerabilities

openssl: Use after free in CMS Signing


Affected versions of the OpenSSL crate used structures after they'd been freed.

futures-util: MutexGuard::map can cause a data race in safe code


Affected versions of the crate had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U.

This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T.

The issue was fixed by fixing Send and Sync implementations, and by adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type to tell the compiler that the guard is over U too.

hyper: Multiple Transfer-Encoding headers misinterprets request payload


hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".