This project might be open to known security vulnerabilities , which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom .
Crate libp2p-core
Dependencies (18 total, 1 outdated)
Dev dependencies (2 total, 1 outdated)
Crate Required Latest Status async-std ^1.6.2
1.12.0
up to date multihash ^0.17.0
0.18.0
out of date
Crate chat-example
Dependencies (4 total, all up-to-date)
Crate autonat-example
Dependencies (4 total, all up-to-date)
Crate dcutr
Dependencies (5 total, all up-to-date)
Crate distributed-key-value-store
Dependencies (5 total, all up-to-date)
Crate file-sharing
Dependencies (7 total, all up-to-date)
Crate identify
Dependencies (3 total, all up-to-date)
Crate ipfs-kad
Dependencies (4 total, all up-to-date)
Crate ipfs-private
Dependencies (6 total, all up-to-date)
Crate ping-example
Dependencies (4 total, all up-to-date)
Crate relay-server-example
Dependencies (5 total, all up-to-date)
Crate rendezvous-example
Dependencies (6 total, all up-to-date)
Crate libp2p-identity
Dependencies (17 total, 3 outdated)
Dev dependencies (4 total, all up-to-date)
Crate interop-tests
Dependencies (8 total, all up-to-date)
Crate Required Latest Status anyhow ^1
1.0.70
up to date either ^1.8.0
1.8.1
up to date env_logger ^0.10.0
0.10.0
up to date futures ^0.3.27
0.3.27
up to date log ^0.4
0.4.17
up to date rand ^0.8.5
0.8.5
up to date redis ^0.22.1
0.22.3
up to date tokio ^1.24.1
1.26.0
up to date
Crate libp2p-allow-block-list
Dependencies (1 total, all up-to-date)
Crate Required Latest Status void ^1
1.0.2
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status async-std ^1.12.0
1.12.0
up to date
Crate libp2p-connection-limits
Dependencies (1 total, all up-to-date)
Crate Required Latest Status void ^1
1.0.2
up to date
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status async-std ^1.12.0
1.12.0
up to date rand ^0.8.5
0.8.5
up to date
Crate keygen
Dependencies (5 total, all up-to-date)
Crate Required Latest Status clap ^4.1.11
4.1.13
up to date zeroize ^1
1.5.7
up to date serde ^1.0.157
1.0.158
up to date serde_json ^1.0.94
1.0.94
up to date base64 ^0.21.0
0.21.0
up to date
Crate libp2p-metrics
Dependencies (1 total, all up-to-date)
Dev dependencies (5 total, 2 possibly insecure)
Crate Required Latest Status env_logger ^0.10.0
0.10.0
up to date futures ^0.3.27
0.3.27
up to date hyper ⚠️ ^0.14
0.14.25
maybe insecure log ^0.4.0
0.4.17
up to date tokio ⚠️ ^1
1.26.0
maybe insecure
Crate multistream-select
Dependencies (6 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate quick-protobuf-codec
Dependencies (5 total, all up-to-date)
Crate quickcheck-ext
Dependencies (2 total, all up-to-date)
Crate rw-stream-sink
Dependencies (3 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status async-std ^1.0
1.12.0
up to date
Crate libp2p-mplex
Dependencies (9 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate libp2p-muxer-test-harness
Dependencies (3 total, all up-to-date)
Crate Required Latest Status futures ^0.3.27
0.3.27
up to date log ^0.4
0.4.17
up to date futures-timer ^3.0.2
3.0.2
up to date
Crate libp2p-yamux
Dependencies (4 total, 1 outdated)
Crate Required Latest Status futures ^0.3.27
0.3.27
up to date thiserror ^1.0
1.0.40
up to date yamux ^0.10.0
0.11.0
out of date log ^0.4
0.4.17
up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status async-std ^1.7.0
1.12.0
up to date
Crate libp2p-autonat
Dependencies (7 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate libp2p-dcutr
Dependencies (9 total, all up-to-date)
Dev dependencies (4 total, all up-to-date)
Crate Required Latest Status async-std ^1.12.0
1.12.0
up to date clap ^4.1.11
4.1.13
up to date env_logger ^0.10.0
0.10.0
up to date rand ^0.8
0.8.5
up to date
Crate libp2p-floodsub
Dependencies (9 total, all up-to-date)
Crate libp2p-gossipsub
Dependencies (19 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status async-std ^1.6.3
1.12.0
up to date env_logger ^0.10.0
0.10.0
up to date hex ^0.4.2
0.4.3
up to date
Crate libp2p-identify
Dependencies (10 total, 1 outdated)
Dev dependencies (2 total, all up-to-date)
Crate libp2p-kad
Dependencies (18 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate libp2p-mdns
Dependencies (11 total, 1 outdated, 1 possibly insecure)
Dev dependencies (3 total, 1 possibly insecure)
Crate libp2p-perf
Dependencies (9 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status rand ^0.8
0.8.5
up to date
Crate libp2p-ping
Dependencies (7 total, all up-to-date)
Crate Required Latest Status either ^1.8.0
1.8.1
up to date futures ^0.3.27
0.3.27
up to date futures-timer ^3.0.2
3.0.2
up to date instant ^0.1.11
0.1.12
up to date log ^0.4.1
0.4.17
up to date rand ^0.8
0.8.5
up to date void ^1.0
1.0.2
up to date
Dev dependencies (2 total, all up-to-date)
Crate libp2p-relay
Dependencies (12 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status env_logger ^0.10.0
0.10.0
up to date
Crate libp2p-rendezvous
Dependencies (10 total, all up-to-date)
Dev dependencies (4 total, 1 possibly insecure)
Crate libp2p-request-response
Dependencies (5 total, all up-to-date)
Dev dependencies (3 total, all up-to-date)
Crate Required Latest Status async-std ^1.6.2
1.12.0
up to date env_logger ^0.10.0
0.10.0
up to date rand ^0.8
0.8.5
up to date
Crate libp2p-swarm
Dependencies (11 total, all up-to-date)
Dev dependencies (5 total, all up-to-date)
Crate libp2p-swarm-derive
Dependencies (3 total, all up-to-date)
Crate Required Latest Status heck ^0.4
0.4.1
up to date quote ^1.0
1.0.26
up to date syn ^2.0.2
2.0.10
up to date
Crate libp2p-swarm-test
Dependencies (5 total, all up-to-date)
Crate libp2p-deflate
Dependencies (2 total, all up-to-date)
Crate Required Latest Status futures ^0.3.27
0.3.27
up to date flate2 ^1.0
1.0.25
up to date
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status async-std ^1.6.2
1.12.0
up to date rand ^0.8
0.8.5
up to date
Crate libp2p-dns
Dependencies (6 total, all up-to-date)
Dev dependencies (3 total, 1 possibly insecure)
Crate libp2p-noise
Dependencies (12 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status async-io ^1.2.0
1.13.0
up to date env_logger ^0.10.0
0.10.0
up to date
Crate libp2p-plaintext
Dependencies (7 total, all up-to-date)
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status env_logger ^0.10.0
0.10.0
up to date rand ^0.8
0.8.5
up to date
Crate libp2p-pnet
Dependencies (6 total, all up-to-date)
Crate Required Latest Status futures ^0.3.27
0.3.27
up to date log ^0.4.8
0.4.17
up to date salsa20 ^0.10
0.10.2
up to date sha3 ^0.10
0.10.6
up to date rand ^0.8
0.8.5
up to date pin-project ^1.0.2
1.0.12
up to date
Dev dependencies (1 total, 1 possibly insecure)
Crate Required Latest Status tokio ⚠️ ^1.21.1
1.26.0
maybe insecure
Crate libp2p-quic
Dependencies (12 total, 1 possibly insecure)
Dev dependencies (4 total, 1 possibly insecure)
Crate libp2p-tcp
Dependencies (8 total, 1 outdated, 1 possibly insecure)
Dev dependencies (3 total, 1 possibly insecure)
Crate libp2p-tls
Dependencies (9 total, all up-to-date)
Dev dependencies (3 total, 1 possibly insecure)
Crate Required Latest Status hex ^0.4.3
0.4.3
up to date hex-literal ^0.3.4
0.3.4
up to date tokio ⚠️ ^1.21.1
1.26.0
maybe insecure
Crate libp2p-uds
Dependencies (4 total, 1 possibly insecure)
Crate Required Latest Status async-std ^1.6.2
1.12.0
up to date log ^0.4.1
0.4.17
up to date futures ^0.3.27
0.3.27
up to date tokio ⚠️ ^1.15
1.26.0
maybe insecure
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tempfile ^3.4
3.4.0
up to date
Crate libp2p-wasm-ext
Dependencies (5 total, all up-to-date)
Crate libp2p-webrtc
Dependencies (19 total, 3 outdated, 1 possibly insecure)
Dev dependencies (7 total, 1 possibly insecure)
Crate libp2p-websocket
Dependencies (9 total, all up-to-date)
Dev dependencies (2 total, 1 outdated)
Crate Required Latest Status async-std ^1.6.5
1.12.0
up to date rcgen ^0.9.3
0.10.0
out of date
Crate libp2p
Dependencies (7 total, all up-to-date)
Dev dependencies (6 total, 1 possibly insecure)
Security Vulnerabilities hyper
: Lenient `hyper` header parsing of `Content-Length` could allow request smugglingRUSTSEC-2021-0078
hyper
's HTTP header parser accepted, according to RFC 7230, illegal contents inside Content-Length
headers.
Due to this, upstream HTTP proxies that ignore the header may still forward them along if it chooses to ignore the error.
To be vulnerable, hyper
must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents
but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely.
hyper
: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data lossRUSTSEC-2021-0079
When decoding chunk sizes that are too large, hyper
's code would encounter an integer overflow. Depending on the situation,
this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.
To be vulnerable, you must be using hyper
for any HTTP/1 purpose, including as a client or server, and consumers must send
requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,
any upstream proxies must accept a chunk size greater than 64 bits.
tokio
: reject_remote_clients Configuration corruptionRUSTSEC-2023-0001
On Windows, configuring a named pipe server with pipe_mode will force ServerOptions ::reject_remote_clients as false
.
This drops any intended explicit configuration for the reject_remote_clients that may have been set as true
previously.
The default setting of reject_remote_clients is normally true
meaning the default is also overridden as false
.
Workarounds
Ensure that pipe_mode is set first after initializing a ServerOptions . For example:
let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);
Patched
>=1.18.4, <1.19.0
>=1.20.3, <1.21.0
>=1.23.1