EUVD-2022-0497

Malicious code in bioql PyPI...

EUVD-2022-0582

Malicious code in bioql PyPI...

EUVD-2022-3359

Malicious code in bioql PyPI...

AZL-65592 CVE-2025-53605 affecting package rust for versions less than 1.72.0-11

The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::codedinputstream::CodedInputStream::skipgroup parsing of unknown fields in untrusted input...

PT-2025-28031 · Protobuf +1 · Protobuf +1

Name of the Vulnerable Software and Affected Versions: protobuf crate for Rust versions prior to 3.7.2 Description: The issue allows uncontrolled recursion in the protobuf::coded input stream::CodedInputStream::skip group function when parsing unknown fields in untrusted input. This can occur due...

DEBIAN-CVE-2024-47763

Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtim...

CVE-2024-47763 Wasmtime runtime crash when combining tail calls with trapping imports

Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtim...

PT-2024-40922 · Atty +1 · Atty +1

Name of the Vulnerable Software and Affected Versions: atty affected versions not specified Description: The maintainer of atty has announced that the crate is no longer under development. Users are recommended to rely on the functionality in the standard library's IsTerminal trait instead...

Internet Bug Bounty: `std::process::Command` batch files argument escaping could be bypassed with trailing whitespace or periods

The Rust Security Response WG disclosed a vulnerability in the std::process::Command module on Windows, where it incorrectly escaped arguments when invoking batch files. This allowed for bypassing the fix by including trailing whitespace or periods in the batch file name, which are ignored and...

Incorrect usage of `#[repr(packed)]`

The affected versions make unsafe memory accesses under the assumption that reprpacked has a guaranteed field order. The Rust specification does not guarantee this, and https://github.com/rust-lang/rust/pull/125360 1.80.0-beta starts reordering fields of reprpacked structs, leading to illegal...

PT-2024-40912 · Softwarex +1 · Softwarex +1

Name of the Vulnerable Software and Affected Versions: SoftwareX versions prior to 0.9.7 SoftwareX versions prior to 0.10.3 Description: The issue arises from unsafe memory accesses due to the assumption that reprpacked guarantees a specific field order in structs. However, the Rust specification...

AZL-40229 CVE-2024-32884 affecting package rust for versions less than 1.75.0-9

gitoxide is a pure Rust implementation of Git. gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clo...

Important: ecs-service-connect-agent

Issue Overview: Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issu...

AZL-25812 CVE-2023-27533 affecting package rust for versions less than 1.72.0-2

A vulnerability in input validation exists in curl 8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform...

AZL-13289 CVE-2022-43552 affecting package rust for versions less than 1.72.0-2

A use after free vulnerability exists in curl 7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can and often do deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocat...

CVE-2022-46176

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle MITM attacks. This vulnerability has been assigned...

CVE-2022-46176

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle MITM attacks. This vulnerability has been assigned...

AZL-31039 CVE-2022-35256 affecting package rust for versions less than 1.68.0-1

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

GHSA-9F3P-WVJ7-Q82X Cargo prior to Rust 1.26.0 may download the wrong dependency

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the package configuration key. Usage of the package key to rename dependencies in Cargo.toml is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency,...

AZL-41829 CVE-2022-0326 affecting package rust for versions less than 1.75.0-1

NULL Pointer Dereference in Homebrew mruby prior to 3.2...