Lucene search
K
RustsecMost viewed

1141 matches found

RustSec
RustSec
added 2026/05/02 12:0 p.m.16 views

Integer overflow in `array::ReadWrite::new()` leading to potential memory corruption

In array::ReadWrite::new line 83 of accessor/src/array.rs, let bytes = mem::sizeof:: len can overflow usize when len is very large. In release mode, this silently wraps, potentially making bytes = 0. The mapper then maps with 0 bytes, and subsequent accesses e.g. readvolatileat lead to undefined...

5.9AI score
Exploits0
RustSec
RustSec
added 2026/03/14 12:0 p.m.16 views

`tracing-ethers` was removed from crates.io due to malicious code

The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io. Thanks to the...

5.8AI score
Exploits0
RustSec
RustSec
added 2026/01/07 12:0 p.m.16 views

`IterMut` violates Stacked Borrows by invalidating internal pointer

Affected versions of this crate contain a soundness issue in the IterMut iterator implementation. The IterMut::next and IterMut::nextback methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer. This invalidates the shared pointer held by the...

6.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/03/10 12:0 p.m.16 views

`tree-sitter-pkl` was removed from crates.io for malicious code

tree-sitter-pkl was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in March 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...

5.9AI score
Exploits0
RustSec
RustSec
added 2024/06/26 12:0 p.m.16 views

`derivative` is unmaintained; consider using an alternative

The derivative crate is no longer maintained. Consider using any alternative, for instance: - derivemore - derive-where - educe...

7.2AI score
Exploits0
RustSec
RustSec
added 2023/09/25 12:0 p.m.16 views

Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service minutes of CPU consumption via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted e.g., thousands of times and the average amoun...

7.5CVSS7.2AI score0.0162EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2023/06/01 12:0 p.m.16 views

`users` crate is unmaintained

The users crate hasn't seen any action since 2020-10-08. The developer seems MIA since. Recommended alternatives - uzers - sysinfo MIA: https://github.com/ogham/rust-users/issues/54 uzers: https://crates.io/crates/uzers sysinfo: https://crates.io/crates/sysinfo...

7.2AI score
Exploits0
RustSec
RustSec
added 2023/03/31 12:0 p.m.16 views

Initialisation failure in `Once::try_call_once` can lead to undefined behaviour for other initialisers

Once::trycallonce is unsound if invoked more than once concurrently and any call fails to initialise successfully...

6.7AI score
Exploits0Affected Software1
RustSec
RustSec
added 2023/03/14 12:0 p.m.16 views

Gitoxide has renamed its crates.

All crates in the gitoxide project have been renamed from git- to gix-. The git- prefixed crates are no longer being updated. Switch to using gix-hash to continue receiving updates...

6.8AI score
Exploits0
RustSec
RustSec
added 2023/01/21 12:0 p.m.16 views

`kuchiki` is unmaintained

The kuchiki repo was marked as archived in this commit. Possible Alternatives Possible alternatives may include: - kuchikiki - html5ever - xml-rs...

6.9AI score
Exploits0
RustSec
RustSec
added 2022/11/30 12:0 p.m.16 views

parity-util-mem Unmaintained

The crate has been deprecated and will receive no updates with no repository source. The crate has a warning surrounding it's use related to global allocator use that may lead to UB...

1AI score
Exploits0
RustSec
RustSec
added 2022/10/22 12:0 p.m.16 views

Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`

The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory. The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec...

2.1AI score
Exploits0Affected Software1
RustSec
RustSec
added 2022/10/01 12:0 p.m.16 views

Crate `parity-wasm` deprecated by the author

This PR explicitly deprecates parity-wasm. The author recommends switching to wasm-tools...

1.8AI score
Exploits0
RustSec
RustSec
added 2022/08/04 12:0 p.m.16 views

Interledger is Unmaintained

Interledger family of crates is not being actively maintained anymore. The owner of the published crate does not appear to be responsive. There is an outstanding concern around username comparison. This concern may or may not be resolved by bumping up the dependencies of the project...

2.9AI score
Exploits0
RustSec
RustSec
added 2022/05/22 12:0 p.m.16 views

Use after free in Neon external buffers

Neon provides functionality for creating JavaScript ArrayBuffer and the Buffer subtype instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from...

1.4AI score
Exploits0Affected Software1
RustSec
RustSec
added 2022/05/11 12:0 p.m.16 views

double-checked-cell is unmaintained

The author recommends switching to oncecell, which offers a superset of the functionality...

3.5AI score
Exploits0
RustSec
RustSec
added 2022/05/11 12:0 p.m.16 views

`static_type_map` has been renamed to `erased_set`

Please use the erasedset crate going forward: There will be no further releases of statictypemap...

Exploits0
RustSec
RustSec
added 2022/02/25 12:0 p.m.16 views

Post-Quantum Signature scheme Rainbow level I parametersets broken

Ward Beullens found a practical key-recovery attack against Rainbow. The level I parametersets are removed from liboqs starting from version 0.7.2. Find the scientific details in Breaking Rainbow Takes a Weekend on a Laptop. This means all the oqs::sig::Algorithm::RainbowI variants are insecure...

4.2AI score
Exploits0Affected Software1
RustSec
RustSec
added 2022/01/10 12:0 p.m.16 views

Unsoundness in `dashmap` references

Reference returned by some methods of Ref and similar types may outlive the Ref and escape the lock. This causes undefined behavior and may result in a segfault. More information in dashmap167 issue...

2.4AI score
Exploits0Affected Software1
RustSec
RustSec
added 2022/01/01 12:0 p.m.16 views

Stack overflow in rustc_serialize when parsing deeply nested JSON

When parsing JSON using json::Json::fromstr, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process. Example code that triggers the vulnerability is rust fn main let = rustcserialize::json::Json::fromstr&"0,".repeat10000;...

3.6AI score
Exploits0
RustSec
RustSec
added 2021/12/25 12:0 p.m.16 views

cargo-download is unmaintained

The cargo download subcommand via cargo-download crate is broken and maintainer has disappeared from GitHub and hasn't had any commits for a year. Using this downloader will result to corrupted crates. Maintainer has not responded to maintenance takeover. Just use wget / curl directly...

2.2AI score
Exploits0
RustSec
RustSec
added 2021/12/24 12:0 p.m.16 views

dotenv is Unmaintained

dotenv by description is meant to be used in development or testing only. Using this in production may or may not be advisable. Alternatives The below may or may not be feasible alternatives: - dotenvycodegenimpl...

1.8AI score
Exploits0
RustSec
RustSec
added 2021/08/16 12:0 p.m.16 views

spirv_headers is unmaintained, use spirv instead

Because of versioning issues; the spirvheaders crate is unmaintained. Use spirv for parsing spirv files...

2.9AI score
Exploits0
RustSec
RustSec
added 2021/07/19 12:0 p.m.16 views

Links in archive can create arbitrary directories

When unpacking a tarball that contains a symlink the tar crate may create directories outside of the directory it's supposed to unpack into. The function errors when it's trying to create a file, but the folders are already created at this point. rust use std::io, io::Result; use tar::Archive,...

7.5CVSS0.6AI score0.01392EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2021/05/27 12:0 p.m.16 views

File exposure in pleaser

pleaser before 0.4 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the searchpath function, the --check option, or the -d option...

3.3CVSS5AI score0.00426EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2021/04/29 12:0 p.m.16 views

`aes-ctr` has been merged into the `aes` crate

Please use the aes crate going forward. The new repository location is at: The aes crate now has an optional ctr feature which autodetects SIMD features on i686/x86-64 targets and uses them if available, or otherwise falls back to the implementation in the ctr crate. If you would prefer not to ha...

Exploits0
RustSec
RustSec
added 2021/04/07 12:0 p.m.16 views

`sass-rs` has been deprecated

The sass-rs crate is not maintained anymore as libsass is deprecated. Consider using https://github.com/connorskees/grass or https://github.com/kaj/rsass instead. Author's recommendation...

1.1AI score
Exploits0
RustSec
RustSec
added 2021/02/04 12:0 p.m.16 views

office is unmaintained, use calamine instead

The office crate is unmaintained. Use calamine for reading excel files. Contact the office author for ownership of the package name...

3.3AI score
Exploits0
RustSec
RustSec
added 2021/01/17 12:0 p.m.16 views

Missing Send bound for Lazy

All current versions of this crate allow causing data races in safe code. The flaw will be fixed in the next release...

5.3CVSS3.3AI score0.01314EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2020/12/31 12:0 p.m.16 views

`FixedCapacityDequeLike::clone()` can cause dropping uninitialized memory

Affected versions of this crate don't guard against panics, so that partially uninitialized buffer is dropped when user-provided T::clone panics in FixedCapacityDequeLike::clone. This causes memory corruption...

9.8CVSS5.5AI score0.01119EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2020/12/31 12:0 p.m.16 views

`read` on uninitialized buffer may cause UB (bite::read::BiteReadExpandedExt::read_framed_max)

Affected versions of this crate calls a user provided Read implementation on an uninitialized buffer. Read on uninitialized buffer is defined as undefined behavior in Rust...

7.5CVSS3.5AI score0.01059EPSS
Exploits0
RustSec
RustSec
added 2020/12/18 12:0 p.m.16 views

ButtplugFutureStateShared allows data race to (!Send|!Sync) objects

ButtplugFutureStateShared implements Send & Sync regardless of T. If T: !Send for ButtplugFutureStateShared, it is possible to move non-Send types across thread boundaries e.g. T=Rc and lead to undefined behavior. If T: !Sync for ButtplugFutureStateShared, it is possible to cause data race to T...

5.9CVSS1.5AI score0.01107EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2020/12/10 12:0 p.m.16 views

Multiple soundness issues in `Ptr`

Affected versions of this crate have the following issues: 1. Ptr implements Send and Sync for all types, this can lead to data races by sending non-thread safe types across threads. 2. Ptr::get violates mutable alias rules by returning multiple mutable references to the same object. 3. Ptr::writ...

5.9CVSS2AI score0.00978EPSS
Exploits2
RustSec
RustSec
added 2020/01/20 12:0 p.m.16 views

rust_sodium is unmaintained; switch to a modern alternative

The rustsodium crate is no longer maintained by its current owner, who advise in the repository readme that they are looking for someone else to take ownership of it. We recommend you switch to an alternative crate such as: - sodiumoxide...

3.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2019/06/20 12:0 p.m.16 views

`boxfnonce` obsolete with release of Rust 1.35.0

This commit marks the boxfnonce crate as obsolete and the GitHub repo has since been archived. The functionality of boxfnonce has been added to Rust since 1.35.0. Use Box...

1.1AI score
Exploits0
RustSec
RustSec
added 2018/07/31 12:0 p.m.16 views

chan is end-of-life; use crossbeam-channel instead

chan has reached its end-of-life and is now deprecated. The intended successor of this crate is crossbeam-channel. Its API is strikingly similar, but comes with a much better select! macro, better performance, a better test suite and an all-around better implementation...

1.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2018/06/21 12:0 p.m.16 views

An integer underflow could lead to panic

A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted. Combination of these two programming errors one in untrusted and another by user of this crate could lead to a panic an...

7.5CVSS3AI score0.01411EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2018/02/13 12:0 p.m.16 views

`tempdir` crate has been deprecated; use `tempfile` instead

The tempdir crate has been deprecated and the functionality is merged into tempfile...

1.3AI score
Exploits0
RustSec
RustSec
added 2026/05/16 12:0 p.m.15 views

OCI layer symlink escape → arbitrary host write

Affected versions of boxlite extract OCI image layer tarballs without fully containing path resolution to the extraction root. A crafted layer containing a symlink whose target is an absolute on-host path e.g. escape - /tmp followed by a file entry that resolves through that symlink e.g...

9.6CVSS5.8AI score0.00482EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/15 12:0 p.m.15 views

Unbounded 32-bit allocation

Both the SSH agent server and client accepted peer-controlled frame lengths without enforcing a maximum frame size. This could cause large memory allocations while parsing a maliciously crafted agent frame. A malicious peer could advertise an oversized frame length, causing the client or server t...

7.5CVSS5.9AI score0.00263EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/24 12:0 p.m.15 views

Possible UTF-8 corruption in Diesels SQLite backend

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/24 12:0 p.m.15 views

Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend

Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debugquery function as Display and Debug output. For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a reprru...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/23 12:0 p.m.15 views

bare-metal is deprecated

The bare-metal crate has been deprecated and archived. For Mutex and CriticalSection, see the critical-section crate instead...

5.2AI score
Exploits0
RustSec
RustSec
added 2026/02/20 12:0 p.m.15 views

`polymarkets-rs-clob-client` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 1 version published on 2026-02-19 approximately 20 hours before removal and had no evidence of actual downloads. There were no crates...

5.5AI score
Exploits0
RustSec
RustSec
added 2026/02/05 12:0 p.m.15 views

Denial of Service via Stack Exhaustion

Impact When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,...

6.8CVSS5.4AI score0.00291EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/10/18 12:0 p.m.15 views

`unic-emoji-char` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

7AI score
Exploits0
RustSec
RustSec
added 2025/03/08 12:0 p.m.15 views

humantime is unmaintained

Latest humantime crates.io release is four years old and GitHub repository has not seen commits in four years. Question about maintenance status has not gotten any reaction from maintainer: https://github.com/tailhook/humantime/issues/31 Update: maintained again The maintainer has responded and...

7.1AI score
Exploits0
RustSec
RustSec
added 2024/11/22 12:0 p.m.15 views

rustls network-reachable panic in `Acceptor::accept`

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept are affected. Servers that use tokio-rustls's LazyConfigAcceptor API are affected. Servers that use tokio-rustls's TlsAcceptor API are not...

7.5CVSS7AI score0.00707EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2023/10/15 12:0 p.m.15 views

Sequential calls of encryption API (`encrypt`, `wrap`, and `dump`) result in nonce reuse

Problem: Trying to create a new encrypted message with the same cocoon object generates the same ciphertext. It mostly affects MiniCocoon and Cocoon objects with custom seeds and RNGs where StdRng is used under the hood. Note: The issue does NOT affect objects created with Cocoon::new which...

4.5CVSS7.1AI score0.0014EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2023/04/17 12:0 p.m.15 views

Adverserial use of `make_bitflags!` macro can cause undefined behavior

The macro relied on an expression of the form Enum::Variant always being a variant of the enum. However, it may also be an associated integer constant, in which case there's no guarantee that the value of said constant consists only of bits valid for this bitflag type. Thus, code like this could...

6.8AI score
Exploits0Affected Software1
Total number of security vulnerabilities1141