tungstenite-0.17.2.crate: 2 vulnerabilities (highest severity is: 7.5) #11
Description
Vulnerable Library - tungstenite-0.17.2.crate
Lightweight stream-based WebSocket implementation
Library home page: https://crates.io/api/v1/crates/tungstenite/0.17.2/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (tungstenite version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-43669 |  High |
7.5 | tungstenite-0.17.2.crate | Direct | tungstenite - 0.20.1 | ❌ |
| CVE-2024-12224 |  Medium |
4.8 | idna-0.2.3.crate | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-43669
Vulnerable Library - tungstenite-0.17.2.crate
Lightweight stream-based WebSocket implementation
Library home page: https://crates.io/api/v1/crates/tungstenite/0.17.2/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- ❌ tungstenite-0.17.2.crate (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).
Publish Date: 2023-09-21
URL: CVE-2023-43669
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-09-21
Fix Resolution: tungstenite - 0.20.1
Step up your Open Source Security Game with Mend here
CVE-2024-12224
Vulnerable Library - idna-0.2.3.crate
IDNA (Internationalizing Domain Names in Applications) and Punycode.
Library home page: https://crates.io/api/v1/crates/idna/0.2.3/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- tungstenite-0.17.2.crate (Root Library)
- url-2.2.2.crate
- ❌ idna-0.2.3.crate (Vulnerable Library)
- url-2.2.2.crate
Found in base branch: master
Vulnerability Details
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
Publish Date: 2025-05-30
URL: CVE-2024-12224
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Step up your Open Source Security Game with Mend here