Lucene search
K
RustsecMost viewed

1141 matches found

RustSec
RustSec
added 2026/04/14 12:0 p.m.11 views

Name constraints for URI names were incorrectly accepted

Name constraints for URI names were ignored and therefore accepted. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally. Since name constraints are restrictions on otherwis...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/09 12:0 p.m.11 views

Improperly masked return value from `table.grow` with Winch compiler backend

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 For more information see the GitHub-hosted security advisory...

7.5CVSS5.9AI score0.00214EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/03/19 12:0 p.m.11 views

`unpack_in` can chmod arbitrary directories by following symlinks

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadatafs-metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball containing a symlink entry followed by a...

6.5CVSS5.8AI score0.00379EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2026/03/04 12:0 p.m.11 views

Cache poisoning via insecure-by-default cache key

Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users. This vulnerability affects users of Pingora's alpha proxy caching feature who...

8.4CVSS6AI score0.00394EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/03/04 12:0 p.m.11 views

`time-sync` was removed from crates.io due to malicious code

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...

6AI score
Exploits0
RustSec
RustSec
added 2026/02/26 12:0 p.m.11 views

`tracing_checks` was removed from crates.io for transitively including malicious code

This is part of an ongoing campaign to attempt to typosquat crates in an attempt to exfiltrate Polymarket credentials. The malicious crate had 1 version published on 2026-02-26 approximately 9 hours before removal and had no evidence of actual usage, both in terms of downloads and dependents. It...

5.5AI score
Exploits0
RustSec
RustSec
added 2026/02/24 12:0 p.m.11 views

`tracing-check` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 1 version published on 2026-02-24 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates...

5.4AI score
Exploits0
RustSec
RustSec
added 2026/02/24 12:0 p.m.11 views

`rpc-check` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 6 versions published from 2026-02-20 onwards and had no evidence of actual usage. There were no crates depending on this crate on...

5.5AI score
Exploits0
RustSec
RustSec
added 2026/02/24 12:0 p.m.11 views

Guest-controlled resource exhaustion in WASI implementations

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w For more information see the GitHub-hosted security advisory...

6.9CVSS5.3AI score0.00345EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/02/20 12:0 p.m.11 views

`clob-sdk` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials. The malicious crate had 1 version published on 2026-02-20 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates...

5.5AI score
Exploits0
RustSec
RustSec
added 2025/12/09 12:0 p.m.11 views

`finch_cli_rust` was removed from crates.io for malicious code

This attempts to typosquat the existing crate finchcli to steal credentials from local files. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 18 times. There were no crates depending on this crate on crates.io. Thanks to Matthias Zepper of NGI Sweden for reportin...

5.5AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.11 views

`unic-common` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.11 views

`unic-emoji` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.11 views

`unic-ucd-name` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

7AI score
Exploits0
RustSec
RustSec
added 2025/09/08 12:0 p.m.11 views

servo-fontconfig crate is unmaintained

The servo-fontconfig crate is no longer actively maintained. If you rely on this crate, consider switching to a maintained alternative. Recommended alternatives - fontconfig-rs...

6.9AI score
Exploits0
RustSec
RustSec
added 2025/08/26 12:0 p.m.11 views

`statsrelay-protobuf` was removed from crates.io for malicious code

statsrelay-protobuf was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in August 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...

5.9AI score
Exploits0
RustSec
RustSec
added 2025/08/14 12:0 p.m.11 views

ArrayQueue::push_front is not panic-safe

The safe API arrayqueue::ArrayQueue::pushfront can lead to deallocating uninitialized memory if a panic occurs while invoking the clone method on the passed argument. Specifically, pushfront receives an argument that is intended to be cloned and pushed, whose type implements the Clone trait...

6.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/06/16 12:0 p.m.11 views

Four unique double-free vulnerabilities triggered via safe APIs

The crate slice-ring-buffer was developed as a fork of slice-deque to continue maintenance and provide security patches, since the latter has been officially unmaintained RUSTSEC-2020-0158. While slice-ring-buffer has addressed some previously reported memory safety issues inherited from its fork...

7.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/05/17 12:0 p.m.11 views

surf is unmaintained

The developer has indicated that the crate is unmaintained. The last release is over three years old from 2021, the crate depends on the deprecated async-std crate and on a very old version of rustls for TLS support. Possible alternatives - reqwest - ureq...

7.2AI score
Exploits0
RustSec
RustSec
added 2025/04/07 12:0 p.m.11 views

Broadcast channel calls clone in parallel, but does not require `Sync`

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync. Thank you to...

6.8AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/02/07 12:0 p.m.11 views

Hickory DNS failure to verify self-signed RRSIG for DNSKEYs

Summary The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to...

7.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2024/07/18 12:0 p.m.11 views

Ambiguous challenge derivation

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability however, it's unknown if it could be exploited...

7.2AI score
Exploits0Affected Software1
RustSec
RustSec
added 2024/03/30 12:0 p.m.11 views

Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`

The VariantStrIter::implget function called internally by implementations of the Iterator and DoubleEndedIterator traits for this type was unsound, resulting in undefined behaviour. An immutable reference &p to a mut libc::cchar pointer initialized to NULL was passed as an argument to a C functio...

7.4AI score
Exploits0Affected Software1
RustSec
RustSec
added 2024/03/20 12:0 p.m.11 views

yaml-rust is unmaintained.

The maintainer seems unreachable. Many issues and pull requests have been submitted over the years without any response. Alternatives Consider switching to the actively maintained yaml-rust2 fork of the original project: - yaml-rust2 - yaml-rust2 @ crates.io...

7.2AI score
Exploits0
RustSec
RustSec
added 2023/09/12 12:0 p.m.11 views

libwebp: OOB write in BuildHuffmanTable

Google and Mozilla have released security advisories for RCE due to heap overflow in libwebp. Google warns the vulnerability has been exploited in the wild. libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in BuildHuffmanTable"...

8.8CVSS9.8AI score0.99735EPSS
Exploits9Affected Software1
RustSec
RustSec
added 2023/09/12 12:0 p.m.11 views

libwebp: OOB write in BuildHuffmanTable

Google and Mozilla have released security advisories for RCE due to heap overflow in libwebp. Google warns the vulnerability has been exploited in the wild. libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in BuildHuffmanTable"...

8.8CVSS9.7AI score0.99735EPSS
Exploits9Affected Software1
RustSec
RustSec
added 2022/12/21 12:0 p.m.11 views

crate has been renamed to `embedded-alloc`

This crate has been renamed from alloc-cortex-m to embedded-alloc. The new repository location is:...

7.1AI score
Exploits0
RustSec
RustSec
added 2022/08/31 12:0 p.m.11 views

badge is Unmaintained

The maintainer has advised this crate is deprecated and will not receive any maintenance. The crate depends on the deprecated rusttype crate and won't receive updates anymore. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - badge-make...

2.7AI score
Exploits0
RustSec
RustSec
added 2022/03/22 12:0 p.m.11 views

pty is unmaintained

The repository hasn't received any updates since Jun 25, 2017 and the author is unresponsive. Maintained alternatives include: tokio-pty-process pty-process...

2.5AI score
Exploits0
RustSec
RustSec
added 2022/01/02 12:0 p.m.11 views

Delegate functions are missing `Send` bound

Affected versions of this crate did not require event handlers to have Send bound despite there being no guarantee of them being called on any particular thread, which can potentially lead to data races and undefined behavior. The flaw was corrected in commit afe3252 by adding Send bounds...

3.1AI score
Exploits0Affected Software1
RustSec
RustSec
added 2021/01/29 12:0 p.m.11 views

nphysics3d is unmaintained

The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Rapier project...

3.4AI score
Exploits0
RustSec
RustSec
added 2021/01/29 12:0 p.m.11 views

ncollide2d is unmaintained

The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Parry project...

3.4AI score
Exploits0
RustSec
RustSec
added 2021/01/21 12:0 p.m.11 views

Improper validation of Windows paths could lead to directory traversal attack

towerhttp::services::fs::ServeDir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This only...

4.4AI score
Exploits0Affected Software1
RustSec
RustSec
added 2020/12/07 12:0 p.m.11 views

crate has been superseded by `sn_client`

This crate has been superseded by snclient. The new repository location is:...

0.3AI score
Exploits0
RustSec
RustSec
added 2020/11/02 12:0 p.m.11 views

crate has been renamed to `sn_bindgen`

This crate has been renamed from safebindgen to snbindgen. The new repository location is:...

6.9AI score
Exploits0
RustSec
RustSec
added 2020/07/04 12:0 p.m.11 views

mozjpeg DecompressScanlines::read_scanlines is Unsound

This issue and vector is similar to RUSTSEC-2020-0029 of rgb crate which mozjpeg depends on. Affected versions of mozjpeg crate allow creating instances of any type T from bytes, and do not correctly constrain T to the types for which it is safe to do so. Examples of safety violation possible for...

3.1AI score
Exploits0Affected Software1
RustSec
RustSec
added 2020/02/10 12:0 p.m.11 views

slice-deque is unmaintained

The author of the slice-deque crate is unresponsive and is not receiving security patches. Maintained alternatives: - slice-ring-buffer...

2.4AI score
Exploits0
RustSec
RustSec
added 2026/06/28 12:0 p.m.10 views

`ttf-parser` is unmaintained

The author of ttf-parser has stated that the crate is unmaintained and will not receive further fixes see the referenced issue. Alternatives - skrifa, an actively maintained TrueType and OpenType font parsing crate, part of the Google Fonts "oxidize" fontations project...

5.8AI score
Exploits0
RustSec
RustSec
added 2026/06/15 12:0 p.m.10 views

Leak in WASIp1 `fd_renumber` implementation

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qf For more information see the GitHub-hosted security advisory...

5.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/13 12:0 p.m.10 views

Potential undefined behavior with Signature from a buffer-created BlameHunk

When a Blame is created via Blame::blamebuffer, and a BlameHunk is retrieved, the pointers to the original author, original committer, final author, and final committer may be null if unavailable. The corresponding BlameHunk methods then create Signatures based on null pointers; attempting to...

5.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/12 12:0 p.m.10 views

Potential undefined behavior when calling Remote::list()

When calling Remote::list for a remote of a git repository, when that remote does not advertise any references, git2 passes a null pointer to the unsafe function slice::fromrawparts. Based on the safety section documentation of function, data must be non-null even for slices of length zero. Thus,...

5.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/07 12:0 p.m.10 views

`Program<System>` accepts arbitrary executable programs

Affected versions of anchor-lang did not properly validate accounts declared as Program. The generic Program validation path used Pubkey::default as a sentinel to decide whether any executable program should be accepted. Since the system program id is also the default pubkey, Program was treated...

8.2CVSS5.8AI score0.00246EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/05 12:0 p.m.10 views

Denial of service in Steamworks game clients/servers using P2P authentication

Processing the raw ValidateAuthTicketResponset callback data panics when the meAuthSessionResponse field is kEAuthSessionResponseAuthTicketNetworkIdentityFailure. This can lead to denial of service in game clients and servers using the beginauthenticationsession API to authenticate players if a...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/05 12:0 p.m.10 views

Signature Verification on AVX2 Platforms Mishandles Edge Case

The AVX2 implementation of ML-DSA verification incorrectly implemented the usehint function, mishandling an edge case that should lead to signature rejection. Impact An attacker could make the ML-DSA verifier accept a crafted invalid signature under a maliciously generated verification key, if th...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/02 12:0 p.m.10 views

Buffer overflow in `Clusterings::from_i32_column_major_order()`

The fromi32columnmajororder method can create inconsistent internal state. When labels length and nitems mismatch, nclusterings becomes labels.len / nitems truncated, but subsequent calls to label use indices that exceed the internal data bounds, causing a buffer overflow. For example,...

6AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/01 12:0 p.m.10 views

NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses

The NSEC3 closest-encloser proof validation in hickory-net's DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/01 12:0 p.m.10 views

Improper check of an invariant resulting in incorrect bounds checks

A bounds verification of a slice storage of a 2-dimensional matrix's coefficients a kernel would compare the total size against the product of individual dimensions. This would erroneously cast after the multiplication and consequently fail to detect possible violations when overflow occurs...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/01 12:0 p.m.10 views

Fragile bounds check when sampling from image

A read of pixels was coded as modifying coordinates to lie within the image bounds. It would calculate a coordinate by adding a constant to an input and taking the minimum of the resulting coordinate and 'dimension - 1'. This would not protect against malicious inputs that could overflow the...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/09 12:0 p.m.10 views

Host panic when Winch compiler executes `table.fill`

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw For more information see the GitHub-hosted security advisory...

7.5CVSS5.9AI score0.00358EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/05 12:0 p.m.10 views

`logtrace` was removed from crates.io for malicious code

logtrace appeared to be downloading a RAT. The malicious crate had 2 versions published on 2026-04-01 that had a total of 30 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecting and reporting this to the crates.io team!...

5.9AI score
Exploits0
Total number of security vulnerabilities1141