Rust Security Alert: rumqttc v0.25.1 Pins Vulnerable Dependencies, Blocks TLS Stack Updates

A critical dependency chain in the Rust ecosystem is exposing projects to multiple security vulnerabilities. The MQTT client library `rumqttc v0.25.1` is pinning outdated and vulnerable versions of two key `rustls` dependencies, creating a single point of failure that blocks the entire TLS stack from updating to secure versions. While the rest of the dependency tree (`reqwest` and `rustls v0.23.37`) has already migrated to the patched `rustls-webpki v0.103.12`, `rumqttc` forces the inclusion of duplicate, old copies, leaving the door open to exploitation.

The root cause is a direct dependency within `rumqttc v0.25.1` on `rustls-webpki v0.102.8` and `rustls-pemfile v2.2.0`. This creates a bifurcated dependency tree where secure and insecure versions coexist, with the insecure copy taking precedence. The affected advisories are severe: RUSTSEC-2026-0049, RUSTSEC-2026-0098, and RUSTSEC-2026-0099 all target `rustls-webpki`, covering flaws where Certificate Revocation Lists (CRLs) are not considered authoritative and where name constraints for URI and wildcard names are incorrectly accepted. A fourth advisory, RUSTSEC-2025-0134, marks `rustls-pemfile v2.2.0` as unmaintained.

This situation places any project relying on `rumqttc` for MQTT communication at immediate risk, as it acts as a hard blocker for security updates. The vulnerability is not in the primary TLS client but in a secondary, pinned transitive dependency, a classic supply-chain attack vector. It signals significant pressure on maintainers of mid-level crates like `rumqttc` to promptly update their dependency graphs, as their inaction can compromise the security posture of countless downstream applications. The incident underscores the fragility of Rust's otherwise robust security model when a single outdated link remains in the chain.