Vulnerabilities

RUSTSEC-2024-0336

rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input

If a close_notify alert is received during a handshake, complete_io
does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io
and are not affected.

rustls::Stream and rustls::StreamOwned types use
complete_io and are affected.

RUSTSEC-2023-0065

Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
a denial of service (minutes of CPU consumption) via an excessive length of an
HTTP header in a client handshake. The length affects both how many times a parse
is attempted (e.g., thousands of times) and the average amount of data for each
parse attempt (e.g., millions of bytes).

Warnings

RUSTSEC-2024-0375

atty is unmaintained

The maintainer of atty has published an official notice that the crate is no longer
under development, and that users should instead rely on the functionality in the standard library's IsTerminal trait.

Alternative(s)

• std::io::IsTerminal - Stable since Rust 1.70.0 and the recommended replacement per the atty maintainer.
• is-terminal - Standalone crate supporting Rust older than 1.70.0

RUSTSEC-2021-0141

dotenv is Unmaintained

dotenv by description is meant to be used in development or testing only.

Using this in production may or may not be advisable.

Alternatives

The below may or may not be feasible alternative(s):

• dotenvy