1141 matches found
Panic in `libcrux-psq` on decryption of malformed AES-GCM ciphertext
The latest releases of the libcrux-psq crate contains the following bug-fix: 1319: Propagate AEADError instead of panicking The issue fixed in 1319 was first reported by Nadim Kobeissi...
Potential undefined behavior when dereferencing Buf struct
if we dereference the Buf struct right after calling new or default on Buf struct, it passes Null Pointer to the unsafe function slice::fromrawparts. Based on the safety section documentation of function, data must be non-null and aligned even for zero-length slices or slices of ZSTs. Thus, passi...
Potential use-after-free in `oneshot` when used asynchronously
There is a race condition that can lead to a use-after-free if a oneshot::Receiver is polled but then dropped instead of polled to completion. This could happen if the receiver future was cancelled while receiving, for example by being wrapped in a timeout future or similar. When the Receiver is...
Multiple soundness issues in `scaly` safe APIs
Affected versions contain multiple safe APIs that can trigger undefined behavior: - Array::index can perform an out-of-bounds read. - String::getlength can perform an out-of-bounds read. - String::appendcharacter can perform an invalid write. - String::tocstring can perform an out-of-bounds write...
Non-constant-time code generation on ARM32 targets
Summary While the cmov crate has a special backend for aarch64 which uses special CSEL instructions, on 32-bit ARM it uses a portable pure Rust fallback implementation. This implementation uses a combination of bitwise arithmetic and core::hint::blackbox to attempt to coerce constant-time code...
Timing side-channel in ML-DSA decomposition
Summary A timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. Details The analysis was performed using a constant-time analyzer that examines compiled assembly code for instructions with data-dependent timing...
rustls-pemfile is unmaintained
The rustls-pemfile crate is no longer maintained. The repository has been archived since August 2025, and users are encouraged to depend directly on the underlying PEM parsing code included in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper around the...
CGGMP21 presignatures can be used in the way that significantly reduces security
This attack is against presignatures used in very specific context: Presignatures + HD wallets derivation: security level reduces to 85 bits \ Previously you could generate a presignature, and then choose a HD derivation path while issuing a partial signature via Presignature::setderivationpath,...
gcc crate is unmaintained
The gcc crate is deprecated and no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - cc...
Multiple soundness issues in `stackvector`
Affected versions of stackvector contained multiple soundness issues that could allow safe Rust code to trigger undefined behavior. One issue was that StackVec::length was exposed as a public field. Safe Rust code could set length to a value larger than the backing array capacity. Other safe...
Uninitialized memory exposure in string reading functions
Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found. This allows reading uninitialized memory which may contain sensitive data from previous allocations. The ncurses-rs repository is archived and unmaintained...
Uninitialized memory exposure in create_ring_buffer
The safe function createringbuffer allocates a buffer using Vec::withcapacity followed by setlen, creating a Box containing uninitialized memory. This leads to undefined behavior when functions like writeslices create typed slices e.g., &mut bool over the uninitialized memory, violating Rust's...
`unic-ucd-core` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...
`unic-ucd-hangul` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icunormalizer - unicode-normalization...
`daemonize` is Unmaintained
There hasn't been any activity happening for this crate since June 3, 2023. No interactions on pull requests. Issues are disabled for the repo. Oldest PR sitting around without any interaction from the maintainer: knsd/daemonize50 On February 14, 2024, a PR was made to correct some UB. Efforts to...
The `google-apis-rs` project is now unmaintained
Instead, please start using and migrate to the official Google Rust bindings...
fxhash - no longer maintained
The fxhash crate is no longer maintained. The repository is stale and owner is no longer active on GitHub. Please take a look at rustc-hash instead...
matrix-sdk-sqlite: SQL injection vulnerability in `SqliteEventCacheStore::find_event_with_relations`
The SqliteEventCacheStore::findeventwithrelations function constructs SQL queries using format! with unescaped input, allowing an attacker to inject arbitrary SQL. This results in a SQL injection vulnerability...
--allow-read / --allow-write permission bypass in `node:sqlite`
It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC // poc.js import DatabaseSync from "node:sqlite" const db = new DatabaseSync":memory:"; db.exec"ATTACH DATABASE 'test.db' as test;"; db.exec"CREATE TABLE test.test id INTEGER PRIMARY KEY, name...
Heap Buffer Overflow in the DrainCol Destructor
An off-by-one error in the DrainCol::drop destructor could cause an unsafe memory copy operation to exceed the bounds of the associated vector. The error was related to the size of the data being copied in one of the ptr::copy invocations inside the destructor. When removing the first column from...
rustc-serialize is unmaintained
rustc-serialize will no longer be maintained as declared by the developer. By fuzzing the package, we can identify multiple vulnerabilities. The project has been archived and cannot submit issues. The developer has recommended using the serde crate instead...
Versions of *ring* prior to 0.17 are unmaintained.
ring 0.16.20 was released over 4 years ago and isn't maintained, tested, etc. Additionally, the project's general policy is to only patch the latest release, which is 0.17.12 now. It will be difficult for anybody to backport future fixes to versions earlier than 0.17.10 due to license changes...
`sophosfirewall-python` was removed from crates.io for malicious code
sophosfirewall-python was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 6 versions published in February 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...
Segmentation fault due to lack of bound check
In this case, the "fastfloat::common::AsciiStr::first" method within the "AsciiStr" struct uses the unsafe keyword to reading from memory without performing bounds checking. Specifically, it directly dereferences a pointer offset by "self.ptr". Because of the above reason, the method accesses...
Use of insecure cryptographic algorithms
This crate uses a number of cryptographic algorithms that are no longer considered secure and it uses them in ways that do not guarantee the integrity of the encrypted data. MagicCrypt64 uses the insecure DES block cipher in CBC mode without authentication. This allows for practical brute force a...
Replaced by `pqcrypto-mldsa`
This crate has been replaced by pqcrypto-mldsa, which provides a FIPS204-compatible implementation of ML-DSA...
proc-macro-error is unmaintained
proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email. proc-macro-error also depends on syn 1.x, which may be bringing duplicate dependencies into dependant build trees. Possible...
gix-path uses local config across repos when it is the highest scope
Summary gix-path executes git to find the path of a configuration file that belongs to the git installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be...
Traversal outside working tree enables arbitrary code execution
Summary During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. Details Although gix-worktree-state checks for collisions with existing files, it does not...
Traversal outside working tree enables arbitrary code execution
Summary During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. Details Although gix-worktree-state checks for collisions with existing files, it does not...
The crate `zip_next` has been renamed to `zip`.
Please switch to the new name. zipnext will receive no further releases...
`libp2p-tokio-socks5` is unmaintained
Note the repository was archived without an issue so we link directly to the commit that marked the repository as unmaintained. To the best of the original authors knowledge the crate has no vulnerabilities as of the last release, it is just unmaintained due to laziness - new maintainer welcome...
Panic when using a dropped extenref-typed element segment
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5. For more information see the GitHub-hosted security advisory...
`win_run_rs` was removed from crates.io for malicious code
This crate was part of a typosquatting malware cluster published by the user Kraded to run an arbitrary malware payload on Windows hosts. This advisory is to retrospectively document this attempted attack. The version information and download records of the malicious crate are no longer available...
`winx-rs` was removed from crates.io for malicious code
This crate was part of a typosquatting malware cluster published by the user Kraded to run an arbitrary malware payload on Windows hosts. This advisory is to retrospectively document this attempted attack. The version information and download records of the malicious crate are no longer available...
`monero-rpc-rs` was removed from crates.io for malicious code
This crate was part of a typosquatting malware cluster published by the user Kraded to run an arbitrary malware payload on Windows hosts. This advisory is to retrospectively document this attempted attack. The version information and download records of the malicious crate are no longer available...
sudo-rs: Path Traversal vulnerability
Impact An issue was discovered where usernames containing the . and / characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For exampl...
`postgress` was removed from crates.io for malicious code
This crate was part of a typosquatting malware cluster published by the malicious user amaperf and contained a malware payload in build.rs to exfiltrate host information to the attacker. This advisory is to retrospectively document this attempted attack. The version information and download recor...
atomic-polyfill is unmaintained
The author has archived the GitHub repository and mentions deprecation in project's README. Possible alternatives portable-atomic...
Use After Free in lucet-runtime
There is a bug in the main branch of Lucet's lucet-runtime that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this...
`aesni` has been merged into the `aes` crate
Please use the aes crate going forward. The new repository location is at: AES-NI is now autodetected at runtime on i686/x86-64 platforms. If AES-NI is not present, the aes crate will fallback to a constant-time portable software implementation. To prevent this fallback and have absence of AES-NI...
multi_mut is Unmaintained
Last release was about 6 years ago. There is an outstanding soundness issue. The maintainer has not responded for two years to the existing soundness issue. Rust compiler has enabled errors relating to LLVM noalias rules and may not compile anymore where as the old compiler versions had turned...
`serial` crate is unmaintained
The serial crate is no longer maintained. Last release was on 2017-07-02. Possible alternatives Consider using an alternative, for instance the blocking librarys: - serial2 - serialport or async alternatives: - mio-serial - tokio-serial...
`rustybuzz` is unmaintained
The current maintainer of rustybuzz has stated that the crate is unmaintained and will not receive further fixes or updates see the referenced issue. Alternatives - harfrust, an actively maintained and updated alternative which is part of the Harfbuzz project...
`unpack_in` can chmod arbitrary directories by following symlinks
In versions 0.6.0 and earlier of astral-tokio-tar, the unpackin API could inadvertently modify the permissions of external i.e. non-archive directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intend...
Host data leakage with 64-bit tables and Winch
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946 For more information see the GitHub-hosted security advisory...
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv For more information see the GitHub-hosted security advisory...
Panic when transcoding misaligned component model UTF-16 strings
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775 For more information see the GitHub-hosted security advisory...
Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w For more information see the GitHub-hosted security advisory...
zantetsu-trainer is unmaintained
The zantetsu-trainer crate is no longer maintained. The ML training infrastructure it contained was removed as part of the zantetsu 0.2 release, which replaced the neural parser with a pure heuristic engine. A tombstone version 0.2.0 has been published and 0.1.4 has been yanked. There is no...