All actix-web CVEs — Complete Vulnerability History
actix-web is Rust's most popular HTTP framework. Rust's memory safety eliminates whole classes of CVEs that affect C/C++ frameworks. The main CVEs are logic-level DoS issues.
Rust
N/A weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2020-35901 | 2020 | HIGH | DoS via HTTP/1.1 pipeline parsing | Fixed 3.0.0 |
| CVE-2022-24977 | 2022 | HIGH | DoS via crafted HTTP request in pipelining | Fixed 4.0.0 |
Current safe version: 4.5.1
# Before
"actix-web = "3.3.2"
# After
"actix-web = "4.5.1"
Then run: cargo update
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does Rust memory safety prevent all CVEs?
No — Rust prevents memory corruption CVEs (buffer overflows, use-after-free, etc.) but logic bugs, DoS via resource exhaustion, and authentication bypass vulnerabilities can still occur. Rust's CVE rate is much lower than C/C++ frameworks but not zero.
Is actix-web 4.x stable?
Yes — actix-web 4.0 was released in January 2022 and is the stable long-term branch. It requires Rust 1.57+.