crawlberg 1.0.x pulls quick-xml 0.40.x, which is affected by two DoS advisories published 2026-06-29:
- RUSTSEC-2026-0194 — quadratic runtime when checking a start tag for duplicate attribute names (
BytesStart::attributes() does an O(N²) scan).
- RUSTSEC-2026-0195 — unbounded namespace-declaration allocation in
NsReader enables memory-exhaustion DoS.
Both are patched in quick-xml >= 0.41.0.
Because the vulnerable version is transitive and pinned by crawlberg, downstream consumers cannot upgrade without a crawlberg release that moves to quick-xml 0.41+. cargo deny/cargo audit flag it for anyone who depends on crawlberg.
Request: bump quick-xml to >= 0.41.0 and cut a release.
crawlberg1.0.x pullsquick-xml0.40.x, which is affected by two DoS advisories published 2026-06-29:BytesStart::attributes()does an O(N²) scan).NsReaderenables memory-exhaustion DoS.Both are patched in
quick-xml >= 0.41.0.Because the vulnerable version is transitive and pinned by crawlberg, downstream consumers cannot upgrade without a crawlberg release that moves to
quick-xml0.41+.cargo deny/cargo auditflag it for anyone who depends on crawlberg.Request: bump
quick-xmlto>= 0.41.0and cut a release.