Unsound issue in Trailer

Our static analyzer find a potential unsound issue in the construction of Trailer, where it doesn't provide enough check to ensure the soundness. trailer/src/lib.rs, Lines 18 to 25 in d474984: pub fn newcapacity: usize - Trailer unsafe let trailer = Trailer::allocatecapacity; let ptr = trailer.pt...

proc-macro-error is unmaintained

proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email. proc-macro-error also depends on syn 1.x, which may be bringing duplicate dependencies into dependant build trees. Possible...

`derivative` is unmaintained; consider using an alternative

The derivative crate is no longer maintained. Consider using any alternative, for instance: - derivemore - derive-where - educe...

Traversal outside working tree enables arbitrary code execution

Summary During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. Details Although gix-worktree-state checks for collisions with existing files, it does not...

Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`

The VariantStrIter::implget function called internally by implementations of the Iterator and DoubleEndedIterator traits for this type was unsound, resulting in undefined behaviour. An immutable reference &p to a mut libc::cchar pointer initialized to NULL was passed as an argument to a C functio...

Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service minutes of CPU consumption via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted e.g., thousands of times and the average amoun...

libwebp: OOB write in BuildHuffmanTable

Google and Mozilla have released security advisories for RCE due to heap overflow in libwebp. Google warns the vulnerability has been exploited in the wild. libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in BuildHuffmanTable"...

`daemonize` is Unmaintained

Last release was over four years ago. The crate contains undocumented unsafe behind safe fns. An issue inquiring as to possible updates has gone unanswered by the maintainer. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives: - daemonize-m...

`aesni` has been merged into the `aes` crate

Please use the aes crate going forward. The new repository location is at: AES-NI is now autodetected at runtime on i686/x86-64 platforms. If AES-NI is not present, the aes crate will fallback to a constant-time portable software implementation. To prevent this fallback and have absence of AES-NI...

slice-deque is unmaintained

The author of the slice-deque crate is unresponsive and is not receiving security patches. Maintained alternatives: - slice-ring-buffer...

`serial` crate is unmaintained

The serial crate is no longer maintained. Last release was on 2017-07-02. Possible alternatives Consider using an alternative, for instance the blocking librarys: - serial2 - serialport or async alternatives: - mio-serial - tokio-serial...

Panic on a `DataRow` with fewer fields than columns allows denial of service

A malicious or compromised server can send a row containing fewer fields than its row description declares columns. Reading one of the missing columns then panics with an out-of-bounds index, aborting the calling task. This affects even the otherwise non-panicking tryget, and both Row and...

Out-of-bounds read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators

PyO3 0.24.0 added optimized implementations of Iterator::nth and DoubleEndedIterator::nthback for the BoundListIterator and BoundTupleIterator types. These implementations computed the target index using unchecked usize addition index + n before bounds-checking against the sequence length, then...

Missing `Sync` bound on `PyCFunction::new_closure` closures

PyCFunction::newclosure and the temporary newclosurebound complement in the 0.21–0.22 series required the supplied closure to be Send + 'static but not Sync. The resulting PyCFunction is a Python callable that can be invoked from any Python thread, which means the closure may be called concurrent...

DoS vulnerability in HTTP/1.x chunked encoding parser triggered by maliciously crafted chunk lengths

When using the affected versions of the vibeio-http crate, an attacker could craft a malicious HTTP/1.x request with a large chunk length between usize::MAX - 1 and usize::MAX inclusive and send it, causing the server to crash integer overflow panic in debug builds, splitto out of bounds panic in...

`exploration` was removed from crates.io for malicious code

A method within the exploration crate attempted to download and execute a payload from a remote site. The malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io. Thanks to Kirill...

Double-free and use-after-free in `Keys::next()`

Keys::next uses ptr::read to move out the Option by value, which drops the contained V when V is non-Copy e.g. String. This leaves a dangling value in the map's storage slot. Subsequent get operations on that key return a dangling reference to already-freed memory. This can be triggered through...

NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses

The NSEC3 closest-encloser proof validation in hickory-net's DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA...

Possible UTF-8 corruption in Diesels SQLite backend

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`

InlineVec::clear and SerVec::clear in rkyv were not panic-safe. Both functions iterate over their elements and call dropinplace on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value. A subsequent invocati...

`mysten-metrics` was removed from crates.io for malicious code

mysten-metrics included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv For more information see the GitHub-hosted security advisory...

Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv For more information see the GitHub-hosted security advisory...

`logprinter` was removed from crates.io for malicious code

The crate downloaded code from an external HTTP endpoint and executed it within its trace fn...

zantetsu-ffi is unmaintained

The zantetsu-ffi crate is no longer maintained. The Node.js, Python, and C FFI bindings it provided were removed as part of the zantetsu 0.2 release, which refocused the project on its core Rust library. A tombstone version 0.2.0 has been published and 0.1.4 has been yanked. There is no replaceme...

Symbol confusion after hasher panic in `intaglio` interners

Affected versions of this crate can leave all SymbolTable variants in an internally inconsistent state if a custom BuildHasher panics during HashMap::insert and the caller recovers with catchunwind. The intern implementations committed a vec.push... before the matching map.insert... completed. If...

`tokio-threadpool` is unmaintained

The tokio-threadpool crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

`tokio-process` is unmaintained

The tokio-process crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

`tokio-tls` is unmaintained

The tokio-tls crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

CRL Distribution Point Scope Check Logic Error in AWS-LC

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point IDP extensions. Customers of AWS services do not...

Insufficient validation of PAX extensions during extraction

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malform...

`Authorization::value` and `WwwAuthenticate::value` can violate ASCII invariants

Authorization::value uses HeaderValue::value with the claim that the internal string is ASCII, but Authorization::new and Authorization::setcredentials accept arbitrary String credentials without validation. As a result, safe code can construct a header value containing non-ASCII UTF-8 while the...

`time-sync` was removed from crates.io due to malicious code

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...

Panic in Standalone MAC Operations

An incorrect constant for the key length in libcrux-poly1305 caused the standalone MAC function libcruxpoly1305::mac to always panic with an out-of-bounds memory access. Impact Applications wishing to use libcrux-poly1305 as a standalone MAC would experience panics. The use of libcrux-poly1305 in...

`time_calibrators` was removed from crates.io due to malicious code

The timecalibrators crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. The malicious crate had 1 version published on 2026-03-03 approximately 3 hours before removal and had no evidence of actual downloads. There were no crates...

`tracing-check` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 1 version published on 2026-02-24 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates...

Panic adding excessive fields to a `wasi:http/types.fields` instance

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h For more information see the GitHub-hosted security advisory...

Panic when dropping a `[Typed]Func::call_async` future

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94 For more information see the GitHub-hosted security advisory...

`rpc-check` was removed from crates.io for malicious code

It was attempting to steal credentials from the POLYMARKETPRIVATEKEY environment variable. The malicious crate had 3 versions published on 2026-02-15 and had been downloaded only 155 times. There were no crates depending on this crate on crates.io. Thanks to Sisong Li for finding and reporting th...

Incorrect Length Encoding on KDF Export

Passing values length 65535 to Context::export produces output that disagrees with the RFC 9180 label encoding. In particular the length value is cast to u16 truncating any value exceeding 65535. Impact Applications that use hpke-rs to export very large secrets would experience interoperability...

Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM

The SharedPointer::alloc implementation for sync::Arc and rc::Rc in rkyv/src/impls/alloc/rc/atomic.rs and rc.rs does not check if the allocator returns a null pointer on OOM Out of Memory. This null pointer can flow through to SharedPointer::fromvalue, which calls Box::fromrawptr with the null...

`sha-rst` was removed from crates.io for malicious code

This crate was used as a dependency by finchclirust and finch-rst and contained a malware payload to exfiltrate credentials. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 22 times. Other than the other crates above that were part of the attack, no other crates...

Incorrect calculation on aarch64

On platforms without the core::arch::aarch64::vxarqu64 intrinsic, an unverified fallback in libcrux-intrinsics v0.0.3 passed incorrect arguments and produced wrong results. This corrupted SHA-3 digests and caused libcrux-ml-kem and libcrux-ml-dsa to sample incorrectly, yielding incorrect shared...

gcc crate is unmaintained

The gcc crate is deprecated and no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - cc...

Uninitialized memory exposure in string reading functions

Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found. This allows reading uninitialized memory which may contain sensitive data from previous allocations. The ncurses-rs repository is archived and unmaintained...

`unic-ucd-core` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-normal` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icunormalizer - unicode-normalization...

`unic` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icu - idna - unicode-bidi...

`unic-ucd-name` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-ucd-ident` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties - unicode-ident...