All axum CVEs — Complete Vulnerability History
axum is Tokio's official HTTP framework for Rust, built on hyper and tower. Its main CVE exposure is via the hyper and tokio dependencies (HTTP/2 Rapid Reset).
Rust
N/A weekly downloads
1 CVE total
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-44487 | 2023 | 🔴HIGH | HTTP/2 Rapid Reset via hyper dep — CISA KEV | Fixed 0.6.20 |
Current safe version: 0.7.5
# Before
"axum = "0.6.18"
# After
"axum = "0.7.5"
Then run: cargo update
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is axum or actix-web better for security?
Both are actively maintained and have minimal direct CVEs. axum is built on the Tokio ecosystem (hyper, tower) which has strong security practices. actix-web uses its own runtime. The choice usually comes down to ecosystem preference rather than security posture.
Does axum 0.7 have breaking changes from 0.6?
Yes — axum 0.7 upgraded to hyper 1.0 which has a new API. The axum migration guide covers the changes.