This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate jsonwebtoken

Dependencies

(6 total, 1 possibly insecure)

CrateRequiredLatestStatus
 base64^0.130.13.0up to date
 pem^11.0.2up to date
 ring^0.16.50.16.20up to date
 serde^1.01.0.138up to date
 serde_json^1.01.0.82up to date
 simple_asn1 ⚠️^0.60.6.2maybe insecure

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 criterion^0.30.3.5up to date
 time^0.30.3.11up to date

Security Vulnerabilities

simple_asn1: Panic on incorrect date input to `simple_asn1`

RUSTSEC-2021-0125

Version 0.6.0 of the simple_asn1 crate panics on certain malformed inputs to its parsing functions, including from_der and der_decode. Because this crate is frequently used with inputs from the network, this should be considered a security vulnerability.

The issue occurs when parsing the old ASN.1 "UTCTime" time format. If an attacker provides a UTCTime where the first character is ASCII but the second character is above 0x7f, a string slice operation in the from_der_ function will try to slice into the middle of a UTF-8 character, and cause a panic.

This error was introduced in commit d7d39d709577710e9dc8, which updated simple_asn1 to use time instead of chrono because of RUSTSEC-2020-159. Versions of simple_asn1 before 0.6.0 are not affected by this issue.

The patch was applied in simple_asn1 version 0.6.1.