All hyper CVEs — Complete Vulnerability History
hyper is Rust's most widely-used HTTP library, underlying reqwest, axum, and many other crates. CVE-2023-44487 (HTTP/2 Rapid Reset) is on CISA KEV.
Rust
N/A weekly downloads
2 CVEs total
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-21299 | 2021 | MEDIUM | Request smuggling via Transfer-Encoding header | Fixed 0.14.4 |
| CVE-2023-44487 | 2023 | 🔴HIGH | HTTP/2 Rapid Reset — CISA KEV | Fixed 1.0.1 |
Current safe version: 1.3.1
# Before
"hyper = "0.14.20"
# After
"hyper = "1.3.1"
Then run: cargo update
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is there a breaking change between hyper 0.14 and 1.0?
Yes — hyper 1.0 is a complete API redesign. reqwest and axum provide compatibility layers. Most applications use hyper indirectly through these higher-level crates.
Does the HTTP/2 Rapid Reset affect hyper clients?
Primarily servers. Update hyper server deployments first.