Skip to content

Bump quick-xml to >= 0.41 (RUSTSEC-2026-0194 / -0195 DoS) #30

Description

@Goldziher

crawlberg 1.0.x pulls quick-xml 0.40.x, which is affected by two DoS advisories published 2026-06-29:

  • RUSTSEC-2026-0194 — quadratic runtime when checking a start tag for duplicate attribute names (BytesStart::attributes() does an O(N²) scan).
  • RUSTSEC-2026-0195 — unbounded namespace-declaration allocation in NsReader enables memory-exhaustion DoS.

Both are patched in quick-xml >= 0.41.0.

Because the vulnerable version is transitive and pinned by crawlberg, downstream consumers cannot upgrade without a crawlberg release that moves to quick-xml 0.41+. cargo deny/cargo audit flag it for anyone who depends on crawlberg.

Request: bump quick-xml to >= 0.41.0 and cut a release.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions