RUSTSEC-2026-0174

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0174
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0174.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0174
Published
2026-03-11T12:00:00Z
Modified
2026-06-08T16:30:03.596256414Z
Summary
`Authorization::value` and `WwwAuthenticate::value` can violate ASCII invariants
Details

Authorization::value uses HeaderValue::value with the claim that the internal string is ASCII, but Authorization::new and Authorization::set_credentials accept arbitrary String credentials without validation. As a result, safe code can construct a header value containing non-ASCII UTF-8 while the implementation assumes ASCII.

WwwAuthenticate::new and WwwAuthenticate::set_realm similarly accepts arbitrary String input, so WwwAuthenticate::value can also produce a header value that violates the crate’s documented ASCII invariants.

This issue has not been confirmed as Undefined Behavior, but the unsafe justification in Authorization::value and WwwAuthenticate::value appears incorrect and can produce values outside the expected ASCII-only constraints.

The http-types crate is unmaintained and the issue is unlikely to be fixed.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / http-types

Package

Name
http-types
View open source insights on deps.dev
Purl
pkg:cargo/http-types

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific 

{
    "affects": {
        "arch": [],
        "functions": [],
        "os": []
    },
    "affected_functions": null
}

Database specific

categories 
[]
cvss 
null
informational 
"notice"
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0174.json"