Browse all 6 CVE security advisories affecting tokio-rs. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Tokio-rs is an asynchronous runtime for Rust, primarily used for building high-performance network applications. Historically, its vulnerabilities have included remote code execution (RCE) and denial-of-service (DoS) flaws, often stemming from unsafe code or improper input validation. The project maintains a strong security focus through Rust's memory safety guarantees, though six CVEs remain on record. Notable incidents include a 2021 RCE vulnerability in the mio crate, which tokio-rs depends on, allowing attackers to execute arbitrary code through crafted file descriptors. The project's rapid development cycle occasionally introduces security regressions, though these are typically addressed quickly through community collaboration and automated testing.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-25541 | Bytes is vulnerable to integer overflow in BytesMut::reserve — bytesCWE-680 | 9.4AI | CriticalAI | 2026-02-04 |
| CVE-2025-58160 | Tracing logging user input may result in poisoning logs with ANSI escape sequences — tracingCWE-150 | 7.1 | - | 2025-08-29 |
| CVE-2025-55159 | slab allows out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check — slabCWE-119 | 8.1AI | HighAI | 2025-08-11 |
| CVE-2024-27308 | Mio's tokens for named pipes may be delivered after deregistration — mioCWE-416 | 7.5 | High | 2024-03-06 |
| CVE-2023-22466 | Tokio's reject_remote_clients configuration may get dropped when creating a Windows named pipe — tokioCWE-665 | 5.4 | Medium | 2023-01-04 |
| CVE-2022-3212 | DoS in axum-core due to missing request size limit — axum-coreCWE-770 | 7.5 | High | 2022-09-14 |
This page lists every published CVE security advisory associated with tokio-rs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.