—

RUSTSEC-2026-0174

`Authorization::value` and `WwwAuthenticate::value` can violate ASCII invariants

Details

`Authorization::value` uses `HeaderValue::value` with the claim that the internal string is ASCII, but `Authorization::new` and `Authorization::set_credentials` accept arbitrary `String` credentials without validation. As a result, safe code can construct a header value containing non-ASCII UTF-8 while the implementation assumes ASCII.

`WwwAuthenticate::new` and `WwwAuthenticate::set_realm` similarly accepts arbitrary `String` input, so `WwwAuthenticate::value` can also produce a header value that violates the crate’s documented ASCII invariants.

This issue has not been confirmed as Undefined Behavior, but the unsafe justification in `Authorization::value` and `WwwAuthenticate::value` appears incorrect and can produce values outside the expected ASCII-only constraints.

The http-types crate is unmaintained and the issue is unlikely to be fixed.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / http-types

Introduced in: 0.0.0-0

No fixed version published yet for http-types. Pin to a known-safe version or switch to an alternative.

References

https://crates.io/crates/http-types [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0174.html [ADVISORY]
https://github.com/http-rs/http-types/issues/534 [REPORT]