CVE-2021-23514

This affects the package Crow before 0.3+4. It is possible to traverse directories to fetch arbitrary files from the server.

CVE-2022-38668

HTTP applications (servers) based on Crow through 1.0+4 may reveal potentially sensitive uninitialized data from stack memory when fulfilling a request for a static file smaller than 16 KB.