This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate v2ray-rust

Dependencies

(51 total, 16 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 actix-rt^2.82.10.0up to date
 actix-server^2.2.02.5.1up to date
 actix-service^2.02.0.3up to date
 aead^0.50.5.2up to date
 aes^0.8.30.8.4up to date
 aes-gcm^0.100.10.3up to date
 anyhow^1.01.0.97up to date
 async-trait^0.10.1.87up to date
 base64^0.21.20.22.1out of date
 bitvec^11.0.1up to date
 bloomfilter^1.0.93.0.1out of date
 boring^4.2.04.15.0up to date
 boring-sys^4.2.04.15.0up to date
 byte_string^1.01.0.0up to date
 bytes^11.10.1up to date
 chacha20poly1305^0.100.10.1up to date
 cidr-utils^0.5.100.6.1out of date
 clap^44.5.32up to date
 crc32fast^1.3.21.4.2up to date
 env_logger^0.100.11.7out of date
 foreign-types-shared^0.3.10.3.1up to date
 futures-util^0.30.3.31up to date
 generic-array^0.14.71.2.0out of date
 hkdf^0.120.12.4up to date
 hmac^0.120.12.1up to date
 log^0.40.4.26up to date
 md-5^0.10.50.10.6up to date
 prost^0.110.13.5out of date
 protobuf ⚠️^3.0.13.7.2maybe insecure
 rand^0.80.9.0out of date
 regex^1.7.31.11.1up to date
 serde^1.01.0.219up to date
 sha-1^0.10.10.10.1up to date
 sha2^0.10.60.10.8up to date
 socket2^0.4.70.5.8out of date
 spin^0.9.60.9.8up to date
 tokio^1.261.44.1up to date
 tokio-boring^4.2.04.15.0up to date
 tokio-tungstenite^0.200.26.2out of date
 tokio-util^0.70.7.14up to date
 toml^0.50.8.20out of date
 tonic^0.90.12.3out of date
 uuid^1.31.15.1up to date
 brotli^3.3.47.0.0out of date
 gentian^0.1.80.1.8up to date
 h2 ⚠️^0.3.200.4.8out of date
 http^0.21.3.1out of date
 hyper^0.14.271.6.0out of date
 libc^0.20.2.171up to date
 once_cell^11.21.1up to date
 tower^0.4.130.5.2out of date

Build dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 protobuf-codegen^3.2.03.7.2up to date
 tonic-build^0.100.12.3out of date

Security Vulnerabilities

h2: Degradation of service in h2 servers with CONTINUATION Flood

RUSTSEC-2024-0332

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.

protobuf: Crash due to uncontrolled recursion in protobuf crate

RUSTSEC-2024-0437

Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.

This allows an attacker to cause a stack overflow when parsing the mssage on untrusted data.