[](https://deps.rs/crate/axum-server/0.7.2)
[](https://deps.rs/crate/axum-server/0.7.2)
This project might be open toknown security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at thebottom.
axum-server(16 total, 3 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| arc-swap | ^1 | 1.7.1 | up to date |
| bytes | ^1 | 1.10.1 | up to date |
| fs-err | ^3 | 3.1.1 | up to date |
| http | ^1.1 | 1.3.1 | up to date |
| http-body | ^1.0 | 1.0.1 | up to date |
| hyper | ^1.4 | 1.6.0 | up to date |
| hyper-util | ^0.1.2 | 0.1.15 | up to date |
| openssl ⚠️ | ^0.10 | 0.10.73 | maybe insecure |
| pin-project-lite | ^0.2 | 0.2.16 | up to date |
| rustls ⚠️ | ^0.23 | 0.23.29 | maybe insecure |
| rustls-pemfile | ^2.1 | 2.2.0 | up to date |
| rustls-pki-types | ^1.7 | 1.12.0 | up to date |
| tokio ⚠️ | ^1 | 1.46.1 | maybe insecure |
| tokio-openssl | ^0.6 | 0.6.5 | up to date |
| tokio-rustls | ^0.26 | 0.26.2 | up to date |
| tower-service | ^0.3 | 0.3.3 | up to date |
(8 total, 2 outdated, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| axum | ^0.7 | 0.8.4 | out of date |
| futures-util | ^0.3 | 0.3.31 | up to date |
| http-body-util | ^0.1 | 0.1.3 | up to date |
| hyper | ^1.4 | 1.6.0 | up to date |
| serial_test | ^3.1 | 3.2.0 | up to date |
| tokio ⚠️ | ^1 | 1.46.1 | maybe insecure |
| tower | ^0.5 | 0.5.2 | up to date |
| tower-http | ^0.5 | 0.6.6 | out of date |
tokio: reject_remote_clients Configuration corruptionOn Windows, configuring a named pipe server withpipe_mode will forceServerOptions::reject_remote_clients asfalse.
This drops any intended explicit configuration for thereject_remote_clients that may have been set astrue previously.
The default setting ofreject_remote_clients is normallytrue meaning the default is also overridden asfalse.
Ensure thatpipe_mode is set first after initializing aServerOptions. For example:
let mut opts = ServerOptions::new();opts.pipe_mode(PipeMode::Message);opts.reject_remote_clients(true);rustls: rustls network-reachable panic in `Acceptor::accept`A bug introduced in rustls 0.23.13 leads to a panic if the receivedTLS ClientHello is fragmented. Only servers that userustls::server::Acceptor::accept() are affected.
Servers that usetokio-rustls'sLazyConfigAcceptor API are affected.
Servers that usetokio-rustls'sTlsAcceptor API are not affected.
Servers that userustls-ffi'srustls_acceptor_accept API are affected.
openssl: Use-After-Free in `Md::fetch` and `Cipher::fetch`When aSome(...) value was passed to theproperties argument of either of these functions, a use-after-free would result.
In practice this would nearly always result in OpenSSL treating the properties as an empty string (due toCString::drop's behavior).
The maintainers thankquitbug for reporting this vulnerability to us.