rustls network-reachable panic in `Acceptor::accept`

A bug introduced in rustls 0.23.13 leads to a panic if the received TLS ClientHello is fragmented. Only servers that use rustls::server::Acceptor::accept are affected. Servers that use tokio-rustls's LazyConfigAcceptor API are affected. Servers that use tokio-rustls's TlsAcceptor API are not...

Unsound FFI: Wrong API usage causes write past allocated area

The following usage causes undefined behavior. rust let kp: ntru::types::KeyPair = …; kp.getpublic.exportDefault::default When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs. Other mistakes e.g. using EncParams from a differe...

const-cstr is Unmaintained

Last release was about five years ago. The maintainers have been unreachable to respond to any issues that may or may not include security issues. The repository is now archived and there is no security policy in place to contact the maintainers otherwise. No direct fork exist. const-cstr is...

Improper validation of Windows paths could lead to directory traversal attack

Path resolution in hyper-staticfile didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This onl...

orbtk is Unmaintained

The orbtk crate is no longer maintained. Alternatives proposed by the authors: iced slint...

mapr is Unmaintained

The mapr fork has been merged back into upstream fork memmap2. The maintainers have advised mapr is deprecated and will not receive any maintenance in favor of using memmap2. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - memmap2...

malicious crate `rustdecimal`

The Rust Security Response WG and the crates.io team were notified1 on 2022-05-02 of the existence of the malicious crate rustdecimal, which contained malware. The crate name was intentionally similar to the name of the popular rustdecimal2 crate, hoping that potential victims would misspell its...

`markdown` (1.0.0 and higher) is maintained

A new markdown crate has been brought over by a new maintainer replacing the old crate. The crate GitHub repository is now wooorm/markdown-rs This advisory has been withdraw since version 1.0.0 was released on 2025-04-23. markdown 0.3.0 and lower was unmaintained The old markdown crate was no...

Improper validation of Windows paths could lead to directory traversal attack

Path resolution in warp::filters::fs::dir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. Th...

Use-after-free due to a lifetime error in `Vec::into_iter()`

In affected versions of this crate, the lifetime of the iterator produced by Vec::intoiter is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses. The following example demonstrates memory...

dotenv is Unmaintained

dotenv by description is meant to be used in development or testing only. Using this in production may or may not be advisable. Alternatives The below may or may not be feasible alternatives: - dotenvy...

Use after free in lru crate

Lru crate has use after free vulnerability. Lru crate has two functions for getting an iterator. Both iterators give references to key and value. Calling specific functions, like pop, will remove and free the value, and but it's still possible to access the reference of value which is already...

Incorrect use of `set_len` allows for un-initialized memory

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...

traitobject is Unmaintained

Crate traitobject has not had a release for over five years. In addition there is an existing security advisory that has not been addressed: - RUSTSEC-2020-0027 Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - destructuretraitobject...

Denial of service on EVM execution due to memory over-allocation

Prior to the patch, when executing specific EVM opcodes related to memory operations that use evmcore::Memory::copylarge, the crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit 19ade85...

`cpuid-bool` has been renamed to `cpufeatures`

Please use the cpufeatures crate going forward: There will be no further releases of cpuid-bool...

AtomicBucket<T> unconditionally implements Send/Sync

In the affected versions of the crate, AtomicBucket unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner T: !Sync by using the AtomicBucket::datawith API. Such data races can potentially cause memory corruption or other undefined behavior. The flaw was...

rusttype is Unmaintained

The maintainer has advised this crate is deprecated and will not receive any maintenance. The maintainer has further advised to migrate over to abglyph. Last release seems to have been over two years ago. Possible Alternatives The below list has not been vetted in any way and may or may not conta...

ncollide3d is unmaintained

The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Parry project...

interfaces2 is unmaintained, use interfaces instead

The interfaces2 crate is not maintained any more; use interfaces instead...

stderr is unmaintained; use eprintln instead

The stderr crate is no longer maintained by its current owner. The author recommends using the eprintln macro from the standard library as a replacement...

crate has been renamed to `sn_node`

This crate has been renamed from safevault to snnode. The new repository location is:...

crate has been renamed to `sn_client`

This crate has been renamed from safecore to snclient. The new repository location is:...

memmap is unmaintained

The author of the memmap crate is unresponsive. Maintained alternatives: - memmap2...

convec::ConVec<T> unconditionally implements Send/Sync

Affected versions of this crate unconditionally implement Send/Sync for ConVec. This allows users to insert T that is not Send or not Sync. This allows users to create data races by using non-Send types like Arc or Rc as T in ConVec. It is also possible to create data races by using types like Ce...

`term_size` is unmaintained; use `terminal_size` instead

The termsize crate is no longer maintained. Consider using terminalsize instead...

crate has been renamed to `qp2p`

This crate has been renamed from quic-p2p to qp2p. The new repository location is:...

crate has been renamed to `sn_fake_clock`

This crate has been renamed from fakeclock to snfakeclock. The new repository location is:...

crate has been renamed to `cipher`

This crate has been renamed from block-cipher to cipher. The new repository location is at:...

personnummer Input validation error

Swedish personal identity is in the form of YYMMDD-XXXX An issue arises from the regular expression allowing the first three digits in the last four digits of the personnummer to be 000, which is invalid. To mitigate this without upgrading, a check on the last four digits can be made to make sure...

`stb_truetype` crate has been deprecated; use `ttf-parser` instead

This crate was maintained for use in rusttype which has switched to use ttf-parser...

`tokio-proto` is deprecated/unmaintained

The tokio-proto crate has been deprecated, and its GitHub repository has been archived. Users may be interested in tokio-tower instead, per https://github.com/tokio-rs/tokio/issues/118issuecomment-452969665...

Test advisory with associated example crate

This is a test advisory useful for verifying RustSec tooling and vulnerability detection pipelines are working correctly. Aside from the fact that it is filed against an example crate, it is otherwise considered by the Advisory Database itself to be a normal security advisory. It's filed against...

term is looking for a new maintainer

The author of the term crate does not have time to maintain it and is looking for a new maintainer. Some maintained alternatives you can potentially switch to instead, depending on your needs: - crossterm - termcolor - yansi...

PAX Header Desynchronization in astral-tokio-tar

Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected...

Unbounded 32-bit allocation

Both the SSH agent server and client accepted peer-controlled frame lengths without enforcing a maximum frame size. This could cause large memory allocations while parsing a maliciously crafted agent frame. A malicious peer could advertise an oversized frame length, causing the client or server t...

Possible unaligned data access for implementations of `SqliteAggregate`

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface. To store an instance of the custom aggregate processor Diesel relied on the sqlite3aggregatecontext function provided by sqlite. This function doesn't provide any guarantees about alignment of t...

`tracing-ethers` was removed from crates.io due to malicious code

The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io. Thanks to the...

`chrono_anchor` was removed from crates.io due to malicious code

The chronoanchor crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. The malicious crate had 1 version published on 2026-03-04 approximately 6 days before removal and had no evidence of actual downloads. There were no crates...

`unic-char-basics` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-emoji-char` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

paste - no longer maintained

The creator of the crate paste has stated in the README.md that this project is not longer maintained as well as archived the repository Possible Alternatives - pastey: a fork of paste and is aimed to be a drop-in replacement with additional features for paste crate - withbuiltinmacros: crate...

Misaligned pointer dereference in `ChunkId::new`

The function ChunkId::new creates a misaligned pointer by casting mutable pointer of u8 slice which has alignment 1 to the mutable pointer of u32 which has alignment 4, and dereference the misaligned pointer leading UB, which should not be allowed in safe function...

Out-of-bounds array access leads to panic

Affected versions of the crate have several bugs where attacker-controlled input can result in the use of an out-of-bound array index. Rust detects the use of the out-of-bound index and causes the application to panic. An attacker may be able to use this to cause a denial-of-service. However, it ...

Location header incorporates user input, allowing open redirect

When hyper-staticfile performs a redirect for a directory request e.g. a request for /dir that redirects to /dir/, the Location header value was derived from user input the request path, simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed...

ELF header parsing library doesn't check for valid offset

The crate has several unsafe sections that don't perform proper pointer validation. An example can be found in the following function: fn sectionheaderraw&self - &ET::SectionHeader let shoff = self.elfheader.sectionheaderoffset as usize; let shnum = self.elfheader.sectionheaderentrynum as usize;...

pty is unmaintained

The repository hasn't received any updates since Jun 25, 2017 and the author is unresponsive. Maintained alternatives include: tokio-pty-process pty-process...

Arrow2 allows double free in `safe` code

The struct FfiArrowArray implements deriveClone that is inconsistent with its custom implementation of Drop, resulting in a double free when cloned. Cloning this struct in safe results in a segmentation fault, which is unsound. This derive was removed from this struct. All users are advised to...

xml-rs is Unmaintained

xml-rs is a XML parser has open issues around parsing including integer overflows / panics that may or may not be an issue with untrusted data. Together with these open issues with Unmaintained status xml-rs may or may not be suited to parse untrusted data. Alternatives - quick-xml...

rental is unmaintained, author has moved on

The author encourages users to explore other solutions, or maintain a fork. Maintained alternatives include: ouroboros fortify escher...