Deps.rs

maud 0.24.0

[![dependency status](https://deps.rs/crate/maud/0.24.0/status.svg)](https://deps.rs/crate/maud/0.24.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate maud

Dependencies

(8 total, 5 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-web^44.9.0up to date
 axum-core ⚠️^0.20.4.5out of date
 futures-util^0.3.00.3.31up to date
 http^0.21.1.0out of date
 itoa^0.4.81.0.11out of date
 maud_macros^0.24.00.26.0out of date
 rocket>=0.3, <0.50.5.1out of date
 tide^0.16.00.16.0up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 trybuild^1.0.331.0.101up to date

Security Vulnerabilities

axum-core: No default limit put on request bodies

RUSTSEC-2022-0055

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash.

This also applies to these extractors which used Bytes::from_request internally:

  • axum::extract::Form
  • axum::extract::Json
  • String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and >= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.