Skip to content

RUSTSEC-2026-0049: rustls-webpki 0.101.7 pulled in via legacy TLS stack #134

New issue
New issue
Open
Open
RUSTSEC-2026-0049: rustls-webpki 0.101.7 pulled in via legacy TLS stack#134
@suonto

Description

@suonto
suonto
opened on Mar 25, 2026

Summary

aws-s3-transfer-manager v0.1.3 transitively introduces rustls-webpki 0.101.7 because its dependencies on aws-config and aws-sdk-s3 enable the default rustls feature, which pulls in the legacy rustls 0.21 + hyper 0.14 stack.

This causes cargo deny to flag RUSTSEC-2026-0049 in any downstream workspace that uses this crate, with no way to override it from the consumer side.

Steps to reproduce

Add aws-s3-transfer-manager to any workspace and run:

cargo deny check advisories

You will see:

error[A]: found vulnerable crate
   ┌─ ...
   │
   │ rustls-webpki = 0.101.7
   │
   = ID: RUSTSEC-2026-0049

Root cause

In aws-s3-transfer-manager's own Cargo.toml, aws-config and aws-sdk-s3 are declared without default-features = false. This enables the rustls feature on both, which brings in rustls 0.21 and its dependency rustls-webpki 0.101.7.

Consumers cannot override this because Cargo's feature unification only adds features — it cannot remove a feature that a dependency has already declared.

Suggested fix

In Cargo.toml, switch the AWS SDK dependencies to disable default features and explicitly opt into the modern TLS stack:

aws-config = { version = "...", default-features = false, features = ["behavior-version-latest", "default-https-client", "rt-tokio"] }
aws-sdk-s3 = { version = "...", default-features = false, features = ["behavior-version-latest", "default-https-client", "rt-tokio"] }

This eliminates the legacy rustls 0.21 / hyper 0.14 stack entirely and resolves the advisory.

Context

  • RUSTSEC-2026-0049 affects rustls-webpki >= 0.102.0-alpha.0; the 0.101.7 version pulled in here is technically in an unaffected range, but it is still flagged by cargo deny because it is an old, diverged branch of the crate.
  • The AWS SDK itself shipped this exact migration in March 2025 (release-2025-03-11, aws-config v1.6.0). The official migration guide is in aws-sdk-rust discussion #1257 and documents the default-features = false + default-https-client pattern used in the suggested fix above.
  • smithy-rs#4576 (filed 2026-03-24) tracks the same problem in smithy-rs itself: the legacy hyper-rustls 0.24 / rustls-webpki 0.101.7 stack is still compiled by default and now flagged as a security liability.
  • Downstream consumers are currently forced to add an ignore entry in their deny.toml as a workaround.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions