All tokio CVEs — Complete Vulnerability History
tokio is Rust's async runtime — the foundation of the entire Rust async ecosystem. Its main CVE exposure is via the HTTP/2 Rapid Reset attack through hyper.
Rust
N/A weekly downloads
2 CVEs total
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-45710 | 2021 | HIGH | Data race in task::spawn_blocking | Fixed 1.8.4 |
| CVE-2023-44487 | 2023 | 🔴HIGH | HTTP/2 Rapid Reset via hyper dep — CISA KEV | Fixed 1.37.0 |
Current safe version: 1.37.0
# Before tokio = "1.26.0"
# After tokio = "1.37.0"
Then run: cargo update
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does the Rust memory model prevent tokio CVEs?
Rust prevents memory-safety CVEs but not all CVEs. CVE-2021-45710 was a data race (logic-level) and CVE-2023-44487 is a protocol-level DoS. Both are real vulnerabilities despite Rust's safety guarantees.