Summary
Severity: medium — cargo audit flags rustls-webpki 0.103.12 as vulnerable to a reachable panic during certificate revocation list parsing.
Dependency tree
rustls-webpki 0.103.12
└── rustls 0.23.38
├── tokio-rustls 0.26.4
│ └── hyper-rustls 0.27.9
│ └── reqwest 0.12.28
│ └── cryptify 0.1.22
└── hyper-rustls 0.27.9
Suggested fix
cargo update -p rustls-webpki should pull the patched 0.103.x. Verify with cargo audit and run the full test suite before opening a PR.
Bonus: unmaintained transitive deps (informational)
cargo audit also reports two unmaintained crates pulled in transitively:
bincode 1.3.3 — RUSTSEC-2025-0141 (via pg-core)rustls-pemfile 1.0.4 — RUSTSEC-2025-0134 (via irma 0.2.1 / reqwest 0.11.27, the older reqwest pulled in by irma)
These are not exploitable today, but if/when pg-core and irma upgrade, this repo should pick those up. Tracked here for visibility — no action required in this issue.
Summary
Severity: medium —
cargo auditflagsrustls-webpki 0.103.12as vulnerable to a reachable panic during certificate revocation list parsing.>=0.103.13, <0.104.0-alpha.1(or>=0.104.0-alpha.7)Dependency tree
Suggested fix
cargo update -p rustls-webpkishould pull the patched 0.103.x. Verify withcargo auditand run the full test suite before opening a PR.Bonus: unmaintained transitive deps (informational)
cargo auditalso reports two unmaintained crates pulled in transitively:bincode 1.3.3— RUSTSEC-2025-0141 (viapg-core)rustls-pemfile 1.0.4— RUSTSEC-2025-0134 (viairma 0.2.1/reqwest 0.11.27, the older reqwest pulled in byirma)These are not exploitable today, but if/when
pg-coreandirmaupgrade, this repo should pick those up. Tracked here for visibility — no action required in this issue.