This project might be open to known security vulnerabilities , which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom .
Crate libp2p-core
Dependencies (15 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status async-std ^1.6.2
1.12.0
up to date
Crate autonat-example
Dependencies (5 total, 1 outdated)
Crate browser-webrtc-example
Dependencies (5 total, all up-to-date)
Crate chat-example
Dependencies (5 total, all up-to-date)
Crate dcutr-example
Dependencies (7 total, 1 outdated)
Crate distributed-key-value-store-example
Dependencies (5 total, all up-to-date)
Crate file-sharing-example
Dependencies (8 total, 1 outdated)
Crate identify-example
Dependencies (5 total, all up-to-date)
Crate ipfs-kad-example
Dependencies (8 total, 1 outdated)
Crate ipfs-private-example
Dependencies (6 total, all up-to-date)
Crate metrics-example
Dependencies (9 total, 4 outdated, 2 possibly insecure)
Crate ping-example
Dependencies (4 total, all up-to-date)
Crate relay-server-example
Dependencies (6 total, 1 outdated)
Crate rendezvous-example
Dependencies (6 total, all up-to-date)
Crate upnp-example
Dependencies (3 total, 1 possibly insecure)
Crate hole-punching-tests
Dependencies (9 total, all up-to-date)
Crate libp2p-identity
Dependencies (16 total, all up-to-date)
Dev dependencies (5 total, all up-to-date)
Crate interop-tests
Dependencies (7 total, all up-to-date)
Crate libp2p-allow-block-list
Dependencies (1 total, all up-to-date)
Crate Required Latest Status void ^1
1.0.2
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status async-std ^1.12.0
1.12.0
up to date
Crate libp2p-connection-limits
Dependencies (1 total, all up-to-date)
Crate Required Latest Status void ^1
1.0.2
up to date
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status async-std ^1.12.0
1.12.0
up to date rand ^0.8.5
0.8.5
up to date
Crate futures-bounded
Dependencies (2 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status tokio ^1.34.0
1.34.0
up to date futures ^0.3.28
0.3.29
up to date
Crate keygen
Dependencies (5 total, 1 outdated)
Crate Required Latest Status clap ^4.4.10
4.4.8
out of date zeroize ^1
1.7.0
up to date serde ^1.0.193
1.0.193
up to date serde_json ^1.0.108
1.0.108
up to date base64 ^0.21.5
0.21.5
up to date
Crate libp2p-memory-connection-limits
Dependencies (4 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status async-std ^1.12.0
1.12.0
up to date rand ^0.8.5
0.8.5
up to date
Crate libp2p-metrics
Dependencies (3 total, all up-to-date)
Crate multistream-select
Dependencies (5 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate quick-protobuf-codec
Dependencies (3 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status criterion ^0.5.1
0.5.1
up to date futures ^0.3.28
0.3.29
up to date
Crate quickcheck-ext
Dependencies (2 total, all up-to-date)
Crate rw-stream-sink
Dependencies (3 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status async-std ^1.0
1.12.0
up to date
Crate libp2p-server
Dependencies (12 total, 2 outdated, 2 possibly insecure)
Crate libp2p-webrtc-utils
Dependencies (10 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex-literal ^0.4
0.4.1
up to date
Crate libp2p-mplex
Dependencies (7 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate libp2p-muxer-test-harness
Dependencies (4 total, all up-to-date)
Crate libp2p-yamux
Dependencies (5 total, 1 outdated)
Crate Required Latest Status either ^1
1.9.0
up to date futures ^0.3.29
0.3.29
up to date thiserror ^1.0
1.0.50
up to date yamux ^0.13.1
0.12.1
out of date tracing ^0.1.37
0.1.40
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status async-std ^1.7.0
1.12.0
up to date
Crate libp2p-autonat
Dependencies (7 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate libp2p-dcutr
Dependencies (9 total, all up-to-date)
Dev dependencies (4 total, 1 outdated)
Crate libp2p-floodsub
Dependencies (9 total, all up-to-date)
Crate libp2p-gossipsub
Dependencies (18 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate libp2p-identify
Dependencies (9 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate libp2p-kad
Dependencies (16 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate libp2p-mdns
Dependencies (12 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate libp2p-perf
Dependencies (12 total, 1 outdated)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status rand ^0.8
0.8.5
up to date
Crate libp2p-ping
Dependencies (7 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate libp2p-relay
Dependencies (11 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate libp2p-rendezvous
Dependencies (10 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate libp2p-request-response
Dependencies (11 total, all up-to-date)
Dev dependencies (6 total, all up-to-date)
Crate libp2p-upnp
Dependencies (6 total, all up-to-date)
Crate libp2p-swarm
Dependencies (12 total, 1 outdated)
Dev dependencies (8 total, all up-to-date)
Crate libp2p-swarm-derive
Dependencies (4 total, all up-to-date)
Crate Required Latest Status heck ^0.4
0.4.1
up to date quote ^1.0
1.0.33
up to date syn ^2.0.39
2.0.39
up to date proc-macro2 ^1.0
1.0.70
up to date
Crate libp2p-swarm-test
Dependencies (5 total, all up-to-date)
Crate libp2p-dns
Dependencies (7 total, all up-to-date)
Dev dependencies (3 total, 1 possibly insecure)
Crate libp2p-noise
Dependencies (12 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate libp2p-plaintext
Dependencies (4 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate libp2p-pnet
Dependencies (6 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.34.0
1.34.0
up to date
Crate libp2p-quic
Dependencies (14 total, 1 outdated)
Dev dependencies (4 total, all up-to-date)
Crate libp2p-tcp
Dependencies (8 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate libp2p-tls
Dependencies (9 total, 1 outdated)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status hex ^0.4.3
0.4.3
up to date hex-literal ^0.4.1
0.4.1
up to date tokio ^1.34.0
1.34.0
up to date
Crate libp2p-uds
Dependencies (4 total, all up-to-date)
Crate Required Latest Status async-std ^1.6.2
1.12.0
up to date futures ^0.3.29
0.3.29
up to date tokio ^1.34
1.34.0
up to date tracing ^0.1.37
0.1.40
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tempfile ^3.8
3.8.1
up to date
Crate libp2p-webrtc
Dependencies (16 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate libp2p-webrtc-websys
Dependencies (11 total, 3 outdated)
Crate libp2p-websocket
Dependencies (9 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status async-std ^1.6.5
1.12.0
up to date rcgen ^0.11.3
0.11.3
up to date
Crate libp2p-webtransport-websys
Dependencies (8 total, 4 outdated)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status multibase ^0.9.1
0.9.1
up to date
Crate libp2p-websocket-websys
Dependencies (9 total, 3 outdated)
Crate webtransport-tests
Dependencies (6 total, 4 outdated)
Crate libp2p
Dependencies (8 total, all up-to-date)
Dev dependencies (5 total, 1 possibly insecure)
Security Vulnerabilities hyper
: Lenient `hyper` header parsing of `Content-Length` could allow request smugglingRUSTSEC-2021-0078
hyper
's HTTP header parser accepted, according to RFC 7230, illegal contents inside Content-Length
headers.
Due to this, upstream HTTP proxies that ignore the header may still forward them along if it chooses to ignore the error.
To be vulnerable, hyper
must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents
but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely.
hyper
: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data lossRUSTSEC-2021-0079
When decoding chunk sizes that are too large, hyper
's code would encounter an integer overflow. Depending on the situation,
this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.
To be vulnerable, you must be using hyper
for any HTTP/1 purpose, including as a client or server, and consumers must send
requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,
any upstream proxies must accept a chunk size greater than 64 bits.
tokio
: reject_remote_clients Configuration corruptionRUSTSEC-2023-0001
On Windows, configuring a named pipe server with pipe_mode will force ServerOptions ::reject_remote_clients as false
.
This drops any intended explicit configuration for the reject_remote_clients that may have been set as true
previously.
The default setting of reject_remote_clients is normally true
meaning the default is also overridden as false
.
Workarounds
Ensure that pipe_mode is set first after initializing a ServerOptions . For example:
let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);
Patched
>=1.18.4, <1.19.0
>=1.20.3, <1.21.0
>=1.23.1