1141 matches found
`registry-win` was removed from crates.io for malicious code
This crate was part of a typosquatting malware cluster published by the user Kraded to run an arbitrary malware payload on Windows hosts. This advisory is to retrospectively document this attempted attack. The version information and download records of the malicious crate are no longer available...
Unaligned read of `*const *const c_char` pointer
Affected versions dereference a potentially unaligned pointer. The pointer is commonly unaligned in practice, resulting in undefined behavior. In some build modes, this is observable as a panic followed by abort. In other build modes the UB may manifest in some other way, including the possibilit...
atomic-polyfill is unmaintained
The author has archived the GitHub repository and mentions deprecation in project's README. Possible alternatives portable-atomic...
Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
Versions of ed25519-dalek prior to v2.0 model private and public keys as separate types which can be assembled into a Keypair, and also provide APIs for serializing and deserializing 64-byte private/public keypairs. Such APIs and serializations are inherently unsafe as the public key is one of th...
`daemonize` is Unmaintained
Last release was over four years ago. The crate contains undocumented unsafe behind safe fns. An issue inquiring as to possible updates has gone unanswered by the maintainer. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives: - daemonize-m...
`array!` macro is unsound in presence of traits that implement methods it calls internally
Affected versions of this crate called some methods using auto-ref. The affected code looked like this. rust let mut arr = $crate::core::mem::MaybeUninit::uninit; let mut vec = $crate::ArrayVec::::newarr.asmutptr as mut T; In this case, the problem is that asmutptr is a method of &mut MaybeUninit...
Fragile bounds check when sampling from image
A bounds check was performed in floating points before a cast to the index passed to an unchecked access function. This checked considered NaN cases improperly, causing them to succeed the check instead of failing it. The floating point coordinate is under caller control by passing a selected...
DNS rebinding vulnerability in rmcp Streamable HTTP server transport
Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send requests to an MCP server running on the victim's loopback or private-network interface. An attacker wh...
Use-after-free bug after cloning `wasmtime::Linker`
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2 For more information see the GitHub-hosted security advisory...
`tokio-tcp` is unmaintained
The tokio-tcp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-current-thread` is unmaintained
The tokio-current-thread crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-sync` is unmaintained
The tokio-sync crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-codec` is unmaintained
The tokio-codec crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the tokio-util crate...
`tokio-uds` is unmaintained
The tokio-uds crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-signal` is unmaintained
The tokio-signal crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
Panic in Signature Hint Decoding During Verification
During ML-DSA verification the serialized hint values are decoded as specified in algorithm 22 HintBitUnpack of FIPS 204, subsection 7.1. The algorithm requires that the cumulative hint counters per row of the hint vector are strictly increasing and below a maximum value which depends on the choi...
`time_calibrator` was removed from crates.io due to malicious code
It was reported timecalibrator contained malicious code, that would try to upload .env files to a server. The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates...
`tracings` was removed from crates.io for malicious code
This is part of an ongoing campaign to attempt to typosquat crates in an attempt to exfiltrate Polymarket credentials. The malicious crate had 1 version published on 2026-02-26 approximately 9 hours before removal and had no evidence of actual usage. The only crate depending on this crate was the...
Type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature targeting Python 3.12 and up
PyO3 0.28.1 added support for pyclassextends=PyList struct NativeSub and other native types when targeting Python 3.12 and up with the abi3 feature. It was discovered that subclasses of such classes would use the type of the subclass when attempting to access to data of NativeSub contained within...
Unnecessary clamping of seed reduces seed entropy to 251 bits
The latest releases of the libcrux-ed25519 crate contains the following bug-fix: 1320: Remove duplicated clamping step during key generation The issue fixed in 1320 was first reported by Nadim Kobeissi...
Incorrect X25519 clamping check rejects all secrets on import
The latest releases of the libcrux-psq crate contains the following bug-fix: 1301: Fix broken clamping check for imported X25519 secret keys...
theshit vulnerable to unsafe loading of user-owned Python rules when running as root
The application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with sudo or otherwise runs with an effective UID of root, it continues...
Non-utf8 String can be created with `TimeBuf::as_str`
The function gixdate::parse::TimeBuf::asstr can create an illegal string containing non-utf8 characters. This violates the safety invariant of TimeBuf and can lead to undefined behavior when consuming the string. The bug can be prevented by adding str::fromutf8 to the function TimeBuf::write...
`finch-rst` was removed from crates.io for malicious code
This attempts to typosquat the existing crate finch to steal credentials from local files. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 21 times. There were no crates depending on this crate on crates.io. Thanks to Matthias Zepper of NGI Sweden for reporting...
`uniswap-utils` was removed from crates.io for malicious code
It depended on the evm-units crate, which appeared to be attempting to steal cryptocurrency...
Missing check in ZK proof in CGGMP21 Threshold Signing Protocol
Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. Patches cggmp21 v0.6.3 is a patch release that contains a fix that introduces this specific missing check. However, we recommend upgrading to cggmp24...
Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS
Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms. Windows The threadamount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count...
json5 crate is unmaintained
The json5 crate is no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - serdejson5 - jsonc-parser - json-five...
tandem_garble_interop is unmaintained
The tandem crates in https://github.com/sine-fdn are no longer maintained by the SINE Foundation. The repository has been archived. Recommended alternative We are continuing our work on SMPC by implementing our secure multi-party computation engine Polytune...
astral-tokio-tar Vulnerable to PAX Header Desynchronization
Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrect...
`unic-idna-mapping` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - idna...
`unic-ucd-age` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...
`unic-char-property` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...
`unic-ucd-version` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...
`unic-bidi` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...
`unic-ucd-common` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...
`unic-ucd-case` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...
DoS vulnerability on `alloy_dyn_abi::TypedData` hashing
An uncaught panic triggered by malformed input to alloydynabi::TypedData could lead to a denial-of-service DoS via eip712signinghash. Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially...
iron crate is unmaintained
The iron crate is no longer actively maintained. If you rely on this crate, consider switching to a maintained alternative. Recommended alternatives See this comparison for popular alternatives...
Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
Impact The getdisjointmut method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. Patches This has been fixed in slab v0.4.11. Workarounds Avoi...
Possible host crash with host-to-wasm component intrinsics
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc For more information see the GitHub-hosted security advisory...
Pingora Request Smuggling and Cache Poisoning
Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the downstream request body on cache hits. This allows an attacker to craft malicious HTTP/1.1 requests which could lead to request smuggling or cache poisoning. This flaw was corrected in...
Possible unsound public API
The public accessible struct SyncVec has a public safe method getunchecked. It accept a parameter index and used in the getunchecked without sufficient checks as mentioned here...
`DTriangle` accessors may read out of bounds in affected versions
In affected versions, DTriangle::neighborbyorder and DTriangle::vertexbyorder were public safe functions that accepted an arbitrary order value. These functions used order to access fixed-size internal arrays with getunchecked, without checking whether order was within bounds. Calling these metho...
SHA-1 collision attacks are not detected
Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. Details gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct G...
Safe API can cause heap-buffer-overflow
ffi::nstr should be marked unsafe, since a pointer to a buffer without a trailing 0 value will cause a heap buffer overflow...
`array-init-cursor` in version 0.2.0 and below is unsound when used with types that implement `Drop`
The Drop implementation will get run twice when using the cursor. This issue does not affect you, if you are using only using the crate with types that are Copy such as u8. This issue also does not affect you, if you are only depending on it through the crate planus...
The `trust-dns` project has been rebranded to `hickory-dns`
The trust-dns-proto crate is now available as hickory-proto...
resolve is unmaintained
resolve crate's GitHub repository is archived with no commits for seven years. Latest crates.io release is also seven years old. Possible alternatives hickory-resolver...
ssl::select_next_proto use after free
In openssl versions before 0.10.70, ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This coul...