This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate hyper_serde

Dependencies

(8 total, 5 outdated, 2 insecure)

CrateRequiredLatestStatus
 cookie^0.110.15.0out of date
 headers^0.20.3.3out of date
 http^0.10.2.3insecure
 hyper^0.120.14.4insecure
 mime^0.30.3.16up to date
 serde^1.01.0.123up to date
 serde_bytes^0.110.11.5up to date
 time^0.10.2.25out of date

Dev dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 serde_test^1.01.0.123up to date
 time^0.10.2.25out of date

Security Vulnerabilities

http: Integer Overflow in HeaderMap::reserve() can cause Denial of Service

RUSTSEC-2019-0033

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.

http: HeaderMap::Drain API is unsound

RUSTSEC-2019-0034

hyper: Multiple Transfer-Encoding headers misinterprets request payload

RUSTSEC-2021-0020

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".