1141 matches found
Name constraints for URI names were incorrectly accepted
Name constraints for URI names were ignored and therefore accepted. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally. Since name constraints are restrictions on otherwis...
Improperly masked return value from `table.grow` with Winch compiler backend
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 For more information see the GitHub-hosted security advisory...
`unpack_in` can chmod arbitrary directories by following symlinks
In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadatafs-metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball containing a symlink entry followed by a...
Cache poisoning via insecure-by-default cache key
Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users. This vulnerability affects users of Pingora's alpha proxy caching feature who...
`time-sync` was removed from crates.io due to malicious code
The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...
`tracing_checks` was removed from crates.io for transitively including malicious code
This is part of an ongoing campaign to attempt to typosquat crates in an attempt to exfiltrate Polymarket credentials. The malicious crate had 1 version published on 2026-02-26 approximately 9 hours before removal and had no evidence of actual usage, both in terms of downloads and dependents. It...
`tracing-check` was removed from crates.io for malicious code
This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 1 version published on 2026-02-24 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates...
`rpc-check` was removed from crates.io for malicious code
This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 6 versions published from 2026-02-20 onwards and had no evidence of actual usage. There were no crates depending on this crate on...
Guest-controlled resource exhaustion in WASI implementations
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w For more information see the GitHub-hosted security advisory...
`clob-sdk` was removed from crates.io for malicious code
This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 1 version published on 2026-02-20 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates...
`finch_cli_rust` was removed from crates.io for malicious code
This attempts to typosquat the existing crate finchcli to steal credentials from local files. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 18 times. There were no crates depending on this crate on crates.io. Thanks to Matthias Zepper of NGI Sweden for reportin...
`unic-common` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...
`unic-emoji` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...
`unic-ucd-name` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...
servo-fontconfig crate is unmaintained
The servo-fontconfig crate is no longer actively maintained. If you rely on this crate, consider switching to a maintained alternative. Recommended alternatives - fontconfig-rs...
`statsrelay-protobuf` was removed from crates.io for malicious code
statsrelay-protobuf was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in August 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...
ArrayQueue::push_front is not panic-safe
The safe API arrayqueue::ArrayQueue::pushfront can lead to deallocating uninitialized memory if a panic occurs while invoking the clone method on the passed argument. Specifically, pushfront receives an argument that is intended to be cloned and pushed, whose type implements the Clone trait...
Four unique double-free vulnerabilities triggered via safe APIs
The crate slice-ring-buffer was developed as a fork of slice-deque to continue maintenance and provide security patches, since the latter has been officially unmaintained RUSTSEC-2020-0158. While slice-ring-buffer has addressed some previously reported memory safety issues inherited from its fork...
surf is unmaintained
The developer has indicated that the crate is unmaintained. The last release is over three years old from 2021, the crate depends on the deprecated async-std crate and on a very old version of rustls for TLS support. Possible alternatives - reqwest - ureq...
Broadcast channel calls clone in parallel, but does not require `Sync`
The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync. Thank you to...
Hickory DNS failure to verify self-signed RRSIG for DNSKEYs
Summary The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to...
Ambiguous challenge derivation
Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability however, it's unknown if it could be exploited...
Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
The VariantStrIter::implget function called internally by implementations of the Iterator and DoubleEndedIterator traits for this type was unsound, resulting in undefined behaviour. An immutable reference &p to a mut libc::cchar pointer initialized to NULL was passed as an argument to a C functio...
yaml-rust is unmaintained.
The maintainer seems unreachable. Many issues and pull requests have been submitted over the years without any response. Alternatives Consider switching to the actively maintained yaml-rust2 fork of the original project: - yaml-rust2 - yaml-rust2 @ crates.io...
libwebp: OOB write in BuildHuffmanTable
Google and Mozilla have released security advisories for RCE due to heap overflow in libwebp. Google warns the vulnerability has been exploited in the wild. libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in BuildHuffmanTable"...
libwebp: OOB write in BuildHuffmanTable
Google and Mozilla have released security advisories for RCE due to heap overflow in libwebp. Google warns the vulnerability has been exploited in the wild. libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in BuildHuffmanTable"...
crate has been renamed to `embedded-alloc`
This crate has been renamed from alloc-cortex-m to embedded-alloc. The new repository location is:...
badge is Unmaintained
The maintainer has advised this crate is deprecated and will not receive any maintenance. The crate depends on the deprecated rusttype crate and won't receive updates anymore. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - badge-make...
pty is unmaintained
The repository hasn't received any updates since Jun 25, 2017 and the author is unresponsive. Maintained alternatives include: tokio-pty-process pty-process...
Delegate functions are missing `Send` bound
Affected versions of this crate did not require event handlers to have Send bound despite there being no guarantee of them being called on any particular thread, which can potentially lead to data races and undefined behavior. The flaw was corrected in commit afe3252 by adding Send bounds...
nphysics3d is unmaintained
The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Rapier project...
ncollide2d is unmaintained
The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Parry project...
Improper validation of Windows paths could lead to directory traversal attack
towerhttp::services::fs::ServeDir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This only...
crate has been superseded by `sn_client`
This crate has been superseded by snclient. The new repository location is:...
crate has been renamed to `sn_bindgen`
This crate has been renamed from safebindgen to snbindgen. The new repository location is:...
mozjpeg DecompressScanlines::read_scanlines is Unsound
This issue and vector is similar to RUSTSEC-2020-0029 of rgb crate which mozjpeg depends on. Affected versions of mozjpeg crate allow creating instances of any type T from bytes, and do not correctly constrain T to the types for which it is safe to do so. Examples of safety violation possible for...
slice-deque is unmaintained
The author of the slice-deque crate is unresponsive and is not receiving security patches. Maintained alternatives: - slice-ring-buffer...
`ttf-parser` is unmaintained
The author of ttf-parser has stated that the crate is unmaintained and will not receive further fixes see the referenced issue. Alternatives - skrifa, an actively maintained TrueType and OpenType font parsing crate, part of the Google Fonts "oxidize" fontations project...
Leak in WASIp1 `fd_renumber` implementation
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qf For more information see the GitHub-hosted security advisory...
Potential undefined behavior with Signature from a buffer-created BlameHunk
When a Blame is created via Blame::blamebuffer, and a BlameHunk is retrieved, the pointers to the original author, original committer, final author, and final committer may be null if unavailable. The corresponding BlameHunk methods then create Signatures based on null pointers; attempting to...
Potential undefined behavior when calling Remote::list()
When calling Remote::list for a remote of a git repository, when that remote does not advertise any references, git2 passes a null pointer to the unsafe function slice::fromrawparts. Based on the safety section documentation of function, data must be non-null even for slices of length zero. Thus,...
`Program<System>` accepts arbitrary executable programs
Affected versions of anchor-lang did not properly validate accounts declared as Program. The generic Program validation path used Pubkey::default as a sentinel to decide whether any executable program should be accepted. Since the system program id is also the default pubkey, Program was treated...
Denial of service in Steamworks game clients/servers using P2P authentication
Processing the raw ValidateAuthTicketResponset callback data panics when the meAuthSessionResponse field is kEAuthSessionResponseAuthTicketNetworkIdentityFailure. This can lead to denial of service in game clients and servers using the beginauthenticationsession API to authenticate players if a...
Signature Verification on AVX2 Platforms Mishandles Edge Case
The AVX2 implementation of ML-DSA verification incorrectly implemented the usehint function, mishandling an edge case that should lead to signature rejection. Impact An attacker could make the ML-DSA verifier accept a crafted invalid signature under a maliciously generated verification key, if th...
Buffer overflow in `Clusterings::from_i32_column_major_order()`
The fromi32columnmajororder method can create inconsistent internal state. When labels length and nitems mismatch, nclusterings becomes labels.len / nitems truncated, but subsequent calls to label use indices that exceed the internal data bounds, causing a buffer overflow. For example,...
NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
The NSEC3 closest-encloser proof validation in hickory-net's DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA...
Improper check of an invariant resulting in incorrect bounds checks
A bounds verification of a slice storage of a 2-dimensional matrix's coefficients a kernel would compare the total size against the product of individual dimensions. This would erroneously cast after the multiplication and consequently fail to detect possible violations when overflow occurs...
Fragile bounds check when sampling from image
A read of pixels was coded as modifying coordinates to lie within the image bounds. It would calculate a coordinate by adding a constant to an input and taking the minimum of the resulting coordinate and 'dimension - 1'. This would not protect against malicious inputs that could overflow the...
Host panic when Winch compiler executes `table.fill`
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw For more information see the GitHub-hosted security advisory...
`logtrace` was removed from crates.io for malicious code
logtrace appeared to be downloading a RAT. The malicious crate had 2 versions published on 2026-04-01 that had a total of 30 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecting and reporting this to the crates.io team!...