GHSA-gcqf-3g44-vc9p: [actix-files] Panic triggered by empty Range header in GET request for static file

February 6, 2026

A GET request for a static file served by actix-files with an empty Range header triggers a panic. With panic = "abort", a remote user may crash the process on-demand.

References

github.com/actix/actix-web
github.com/actix/actix-web/blob/0383f4bdd1210e726143ca1ebcf01169b67a4b6c/actix-files/src/named.rs
github.com/actix/actix-web/security/advisories/GHSA-gcqf-3g44-vc9p
github.com/advisories/GHSA-gcqf-3g44-vc9p

Code Behaviors & Features

Detect and mitigate GHSA-gcqf-3g44-vc9p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →