error[vulnerability]: Denial of Service via Stack Exhaustion
┌─ /github/workspace/Cargo.lock:301:1
│
301 │ time 0.3.45 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2026-0009
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009
├ ## Impact
When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
service attack via stack exhaustion is possible. The attack relies on formally deprecated and
rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
non-malicious input will never encounter this scenario.
## Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
rather than exhausting the stack.
## Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
the stack consumed would be at most a factor of the length of the input.
├ Announcement: https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
├ Solution: Upgrade to >=0.3.47 (try `cargo update -p time`)
├ time v0.3.45
