1141 matches found
Host panic when Winch compiler executes `table.fill`
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw For more information see the GitHub-hosted security advisory...
`logtrace` was removed from crates.io for malicious code
logtrace appeared to be downloading a RAT. The malicious crate had 2 versions published on 2026-04-01 that had a total of 30 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecting and reporting this to the crates.io team!...
`tokio-tls` is unmaintained
The tokio-tls crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-process` is unmaintained
The tokio-process crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-io` is unmaintained
The tokio-io crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
Denial of service in Quinn endpoints
Receiving QUIC transport parameters containing invalid values could lead to a panic. Unfortunately the maintainers did not properly assess usage of unwrap calls in the transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this issue. We have since added a...
Panic in Standalone MAC Operations
An incorrect constant for the key length in libcrux-poly1305 caused the standalone MAC function libcruxpoly1305::mac to always panic with an out-of-bounds memory access. Impact Applications wishing to use libcrux-poly1305 as a standalone MAC would experience panics. The use of libcrux-poly1305 in...
`rpc-check` was removed from crates.io for malicious code
It was attempting to steal credentials from the POLYMARKETPRIVATEKEY environment variable. The malicious crate had 3 versions published on 2026-02-15 and had been downloaded only 155 times. There were no crates depending on this crate on crates.io. Thanks to Sisong Li for finding and reporting th...
Panic When Opening or Sealing on Export-Only Context
Constructing an HPKE Context with the AEAD algorithm set to HpkeExport resulted in a panic when calling Context::seal, or Context::open. This was due to an underflowing integer subtraction when calculating the length of a vector allocation for the AEAD nonce, which would panic on its own in debug...
Nonce Reuse in HPKE Context
The sequence number that is used to compute the AEAD nonce when using a re-usable HPKE context is incremented after each seal or open operation. This sequence number was stored as a u32 and used regular addition on u32 for the increment, meaning in release mode it would silently wrap around to 0...
Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73 For more information see the GitHub-hosted security advisory...
Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM
The SharedPointer::alloc implementation for sync::Arc and rc::Rc in rkyv/src/impls/alloc/rc/atomic.rs and rc.rs does not check if the allocator returns a null pointer on OOM Out of Memory. This null pointer can flow through to SharedPointer::fromvalue, which calls Box::fromrawptr with the null...
Incorrect calculation on aarch64
On platforms without the core::arch::aarch64::vxarqu64 intrinsic, an unverified fallback in libcrux-intrinsics v0.0.3 passed incorrect arguments and produced wrong results. This corrupted SHA-3 digests and caused libcrux-ml-kem and libcrux-ml-dsa to sample incorrectly, yielding incorrect shared...
number_prefix crate is unmaintained
The numberprefix crate is no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - unit-prefix...
tandem is unmaintained
The tandem crates in https://github.com/sine-fdn are no longer maintained by the SINE Foundation. The repository has been archived. Recommended alternative We are continuing our work on SMPC by implementing our secure multi-party computation engine Polytune...
`replit_ruspty` was removed from crates.io for malicious code
The OpenSSF Package Analysis project identified 'replitruspty' @ 1.0.0 crates.io as malicious. Version 2.0.0 was also published with malware. It is considered malicious because: The package communicates with a domain associated with malicious activity. The package executes one or more commands...
`unic-normal` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icunormalizer - unicode-normalization...
`unic-char-range` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - Since version 1.45.0 Rust supports using char with ops::Range, RangeFrom, RangeFull, RangeInclusive, RangeTo to iterate over a range of codepoints...
Segmentation fault and invalid memory read in `mnl::cb_run`
The function mnl::cbrun is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers. Passing a crafted byte slice to mnl::cbrun can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to...
`unic-idna` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - idna...
`unic-ucd-bidi` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...
`unic-ucd-normal` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icunormalizer...
`unic-ucd-name_aliases` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...
`unic` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icu - idna - unicode-bidi...
`unic-idna-punycode` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - idna...
Incorrect handling of embedded SVG and MathML leads to mutation XSS after removal
Affected versions of this crate did not correctly strip namespace-incompatible tags in certain situations, causing it to incorrectly account for differences between HTML, SVG, and MathML. This vulnerability only has an effect when the svg or math tag is allowed, because it relies on a tag being...
custom_derive crate is unmaintained
The customderive crate is no longer actively maintained. If you rely on this crate, consider switching to a maintained alternative. Recommended alternatives - strum - macro-attr...
ConstStaticCell could have been used to pass non-Send values to another thread
ConstStaticCell could have been used to pass non-Send values to another thread, because T was not required to be Send while ConstStaticCell is Send. This was corrected by introducing a T: Send bound...
i_tree allowed out-of-bounds access through safe public node accessors
Affected versions of itree exposed safe public Tree::node and Tree::mutnode methods in the public tree module. These methods accepted an arbitrary u32 index and passed it directly to Vec::getunchecked / getuncheckedmut on the internal node buffer, without validating that the index was in bounds...
matrix-sdk-crypto vulnerable to encrypted event sender spoofing by homeserver administrator
matrix-sdk-crypto versions 0.8.0 up to and including 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. Although th...
Unsound public API in unmaintained crate
The following functions in the tantonengine crate are unsound due to lack of sufficient boundary checks in public API: - Stack::offset - ThreadStack::get - RootMoveList::insertscoredepth - RootMoveList::insertscore The tantonengine crate is no longer maintained, so there are no plans to fix this...
`jfrog_quotes` was removed from crates.io for malicious code
jfrogquotes was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in January 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...
Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts
The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord: SQL Injection isn't Dead: Smuggling Queries at the Protocol Level Archive link for posterity. Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,...
Refs and paths with reserved Windows device names access the devices
Summary On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that...
nphysics2d is unmaintained
The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Rapier project...
mXSS in ammonia via MathML `annotation-xml` encoding strip
If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser. The annotation-xml tag has slightly different behavior than the other "integration point" tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly strip the...
Unbounded namespace-declaration allocation in `NsReader` enables memory-exhaustion denial of service
NsReader resolves namespaces by calling NamespaceResolver::push for every Start/Empty event before the event is returned to the caller. push iterated all xmlns / xmlns: attributes on the start tag and, for each one, appended the prefix bytes to an internal buffer and pushed a NamespaceBinding 32...
Double-free and use-after-free in `Keys::next()`
Keys::next uses ptr::read to move out the Option by value, which drops the contained V when V is non-Copy e.g. String. This leaves a dangling value in the map's storage slot. Subsequent get operations on that key return a dangling reference to already-freed memory. This can be triggered through...
`logprinter` was removed from crates.io for malicious code
The crate downloaded code from an external HTTP endpoint and executed it within its trace fn...
`tokio-executor` is unmaintained
The tokio-executor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-threadpool` is unmaintained
The tokio-threadpool crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
CRLs not considered authoritative by Distribution Point due to faulty matching logic
If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored. The impact was that correctly provided CRLs wou...
`tokio-reactor` is unmaintained
The tokio-reactor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
CRL Distribution Point Scope Check Logic Error in AWS-LC
A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point IDP extensions. Customers of AWS services do not...
Insufficient validation of PAX extensions during extraction
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malform...
`dnp3times` was removed from crates.io due to malicious code
The dnp3times crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. It was loosely trying to typosquat the dnp3time crate, but otherwise was the same attack as the timecalibrator and timecalibrators malware yesterday. The malicious...
Incorrect Check of Signer Response Norm During Verification
The ML-DSA verification algorithm as specified in FIPS 204, subsection 6.3 requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\gamma1 - \beta$ line 13 of Algorithm 8. The same check is required to be performed during signature generation...
`time_calibrators` was removed from crates.io due to malicious code
The timecalibrators crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. The malicious crate had 1 version published on 2026-03-03 approximately 3 hours before removal and had no evidence of actual downloads. There were no crates...
Panic when dropping a `[Typed]Func::call_async` future
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94 For more information see the GitHub-hosted security advisory...
Panic adding excessive fields to a `wasi:http/types.fields` instance
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h For more information see the GitHub-hosted security advisory...