Deps.rs

maud 0.24.0

[![dependency status](https://deps.rs/crate/maud/0.24.0/status.svg)](https://deps.rs/crate/maud/0.24.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate maud

Dependencies

(8 total, 5 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-web^44.5.1up to date
 axum-core ⚠️^0.20.4.3out of date
 futures-util^0.3.00.3.30up to date
 http^0.21.1.0out of date
 itoa^0.4.81.0.11out of date
 maud_macros^0.24.00.26.0out of date
 rocket>=0.3, <0.50.5.0out of date
 tide^0.16.00.16.0up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 trybuild^1.0.331.0.96up to date

Security Vulnerabilities

axum-core: No default limit put on request bodies

RUSTSEC-2022-0055

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash.

This also applies to these extractors which used Bytes::from_request internally:

  • axum::extract::Form
  • axum::extract::Json
  • String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and >= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.