Lucene search
K
RustsecMost viewed

1141 matches found

RustSec
RustSec
added 2023/11/15 12:0 p.m.8 views

`registry-win` was removed from crates.io for malicious code

This crate was part of a typosquatting malware cluster published by the user Kraded to run an arbitrary malware payload on Windows hosts. This advisory is to retrospectively document this attempted attack. The version information and download records of the malicious crate are no longer available...

5.9AI score
Exploits0
RustSec
RustSec
added 2023/09/10 12:0 p.m.8 views

Unaligned read of `*const *const c_char` pointer

Affected versions dereference a potentially unaligned pointer. The pointer is commonly unaligned in practice, resulting in undefined behavior. In some build modes, this is observable as a panic followed by abort. In other build modes the UB may manifest in some other way, including the possibilit...

7.1AI score
Exploits0
RustSec
RustSec
added 2023/07/11 12:0 p.m.8 views

atomic-polyfill is unmaintained

The author has archived the GitHub repository and mentions deprecation in project's README. Possible alternatives portable-atomic...

7.2AI score
Exploits0
RustSec
RustSec
added 2022/06/11 12:0 p.m.8 views

Double Public Key Signing Function Oracle Attack on `ed25519-dalek`

Versions of ed25519-dalek prior to v2.0 model private and public keys as separate types which can be assembled into a Keypair, and also provide APIs for serializing and deserializing 64-byte private/public keypairs. Such APIs and serializations are inherently unsafe as the public key is one of th...

5.9CVSS7AI score0.00183EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2021/09/01 12:0 p.m.8 views

`daemonize` is Unmaintained

Last release was over four years ago. The crate contains undocumented unsafe behind safe fns. An issue inquiring as to possible updates has gone unanswered by the maintainer. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives: - daemonize-m...

3.4AI score
Exploits0
RustSec
RustSec
added 2020/05/07 12:0 p.m.8 views

`array!` macro is unsound in presence of traits that implement methods it calls internally

Affected versions of this crate called some methods using auto-ref. The affected code looked like this. rust let mut arr = $crate::core::mem::MaybeUninit::uninit; let mut vec = $crate::ArrayVec::::newarr.asmutptr as mut T; In this case, the problem is that asmutptr is a method of &mut MaybeUninit...

0.5AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/05/01 12:0 p.m.7 views

Fragile bounds check when sampling from image

A bounds check was performed in floating points before a cast to the index passed to an unchecked access function. This checked considered NaN cases improperly, causing them to succeed the check instead of failing it. The floating point coordinate is under caller control by passing a selected...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/29 12:0 p.m.7 views

DNS rebinding vulnerability in rmcp Streamable HTTP server transport

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send requests to an MCP server running on the victim's loopback or private-network interface. An attacker wh...

8.8CVSS5.8AI score0.00213EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/04/09 12:0 p.m.7 views

Use-after-free bug after cloning `wasmtime::Linker`

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2 For more information see the GitHub-hosted security advisory...

5CVSS5.9AI score0.00117EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/03/20 12:0 p.m.7 views

`tokio-tcp` is unmaintained

The tokio-tcp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
added 2026/03/20 12:0 p.m.7 views

`tokio-current-thread` is unmaintained

The tokio-current-thread crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
added 2026/03/20 12:0 p.m.7 views

`tokio-sync` is unmaintained

The tokio-sync crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
added 2026/03/20 12:0 p.m.8 views

`tokio-codec` is unmaintained

The tokio-codec crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the tokio-util crate...

5.7AI score
Exploits0
RustSec
RustSec
added 2026/03/20 12:0 p.m.7 views

`tokio-uds` is unmaintained

The tokio-uds crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
added 2026/03/20 12:0 p.m.7 views

`tokio-signal` is unmaintained

The tokio-signal crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
added 2026/03/04 12:0 p.m.7 views

Panic in Signature Hint Decoding During Verification

During ML-DSA verification the serialized hint values are decoded as specified in algorithm 22 HintBitUnpack of FIPS 204, subsection 7.1. The algorithm requires that the cumulative hint counters per row of the hint vector are strictly increasing and below a maximum value which depends on the choi...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/03/03 12:0 p.m.7 views

`time_calibrator` was removed from crates.io due to malicious code

It was reported timecalibrator contained malicious code, that would try to upload .env files to a server. The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates...

6AI score
Exploits0
RustSec
RustSec
added 2026/02/26 12:0 p.m.7 views

`tracings` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in an attempt to exfiltrate Polymarket credentials. The malicious crate had 1 version published on 2026-02-26 approximately 9 hours before removal and had no evidence of actual usage. The only crate depending on this crate was the...

5.5AI score
Exploits0
RustSec
RustSec
added 2026/02/18 12:0 p.m.7 views

Type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature targeting Python 3.12 and up

PyO3 0.28.1 added support for pyclassextends=PyList struct NativeSub and other native types when targeting Python 3.12 and up with the abi3 feature. It was discovered that subclasses of such classes would use the type of the subclass when attempting to access to data of NativeSub contained within...

5.4AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/02/05 12:0 p.m.7 views

Unnecessary clamping of seed reduces seed entropy to 251 bits

The latest releases of the libcrux-ed25519 crate contains the following bug-fix: 1320: Remove duplicated clamping step during key generation The issue fixed in 1320 was first reported by Nadim Kobeissi...

5.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2026/01/26 12:0 p.m.7 views

Incorrect X25519 clamping check rejects all secrets on import

The latest releases of the libcrux-psq crate contains the following bug-fix: 1301: Fix broken clamping check for imported X25519 secret keys...

5.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/12/30 12:0 p.m.7 views

theshit vulnerable to unsafe loading of user-owned Python rules when running as root

The application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with sudo or otherwise runs with an effective UID of root, it continues...

6.7CVSS7.1AI score0.0012EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/12/29 12:0 p.m.7 views

Non-utf8 String can be created with `TimeBuf::as_str`

The function gixdate::parse::TimeBuf::asstr can create an illegal string containing non-utf8 characters. This violates the safety invariant of TimeBuf and can lead to undefined behavior when consuming the string. The bug can be prevented by adding str::fromutf8 to the function TimeBuf::write...

7.1CVSS7.3AI score0.00193EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2025/12/09 12:0 p.m.7 views

`finch-rst` was removed from crates.io for malicious code

This attempts to typosquat the existing crate finch to steal credentials from local files. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 21 times. There were no crates depending on this crate on crates.io. Thanks to Matthias Zepper of NGI Sweden for reporting...

5.5AI score
Exploits0
RustSec
RustSec
added 2025/12/03 12:0 p.m.7 views

`uniswap-utils` was removed from crates.io for malicious code

It depended on the evm-units crate, which appeared to be attempting to steal cryptocurrency...

5.3AI score
Exploits0
RustSec
RustSec
added 2025/11/24 12:0 p.m.7 views

Missing check in ZK proof in CGGMP21 Threshold Signing Protocol

Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. Patches cggmp21 v0.6.3 is a patch release that contains a fix that introduces this specific missing check. However, we recommend upgrading to cggmp24...

9.3CVSS6.7AI score0.00163EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/11/22 12:0 p.m.7 views

Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS

Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms. Windows The threadamount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count...

8.7CVSS6.6AI score0.00309EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/11/16 12:0 p.m.7 views

json5 crate is unmaintained

The json5 crate is no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - serdejson5 - jsonc-parser - json-five...

6.9AI score
Exploits0
RustSec
RustSec
added 2025/11/10 12:0 p.m.7 views

tandem_garble_interop is unmaintained

The tandem crates in https://github.com/sine-fdn are no longer maintained by the SINE Foundation. The repository has been archived. Recommended alternative We are continuing our work on SMPC by implementing our secure multi-party computation engine Polytune...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/21 12:0 p.m.7 views

astral-tokio-tar Vulnerable to PAX Header Desynchronization

Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrect...

8.1CVSS7.1AI score0.00688EPSS
Exploits1Affected Software1
RustSec
RustSec
added 2025/10/18 12:0 p.m.7 views

`unic-idna-mapping` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - idna...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.7 views

`unic-ucd-age` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.7 views

`unic-char-property` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.7 views

`unic-ucd-version` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.7 views

`unic-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.7 views

`unic-ucd-common` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/18 12:0 p.m.7 views

`unic-ucd-case` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

7AI score
Exploits0
RustSec
RustSec
added 2025/10/15 12:0 p.m.7 views

DoS vulnerability on `alloy_dyn_abi::TypedData` hashing

An uncaught panic triggered by malformed input to alloydynabi::TypedData could lead to a denial-of-service DoS via eip712signinghash. Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially...

7.5CVSS6.8AI score0.00416EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/09/08 12:0 p.m.7 views

iron crate is unmaintained

The iron crate is no longer actively maintained. If you rely on this crate, consider switching to a maintained alternative. Recommended alternatives See this comparison for popular alternatives...

6.9AI score
Exploits0
RustSec
RustSec
added 2025/08/12 12:0 p.m.7 views

Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check

Impact The getdisjointmut method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. Patches This has been fixed in slab v0.4.11. Workarounds Avoi...

5.1CVSS7AI score0.00167EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/07/18 12:0 p.m.7 views

Possible host crash with host-to-wasm component intrinsics

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc For more information see the GitHub-hosted security advisory...

3.1CVSS6.7AI score0.00405EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/05/22 12:0 p.m.7 views

Pingora Request Smuggling and Cache Poisoning

Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the downstream request body on cache hits. This allows an attacker to craft malicious HTTP/1.1 requests which could lead to request smuggling or cache poisoning. This flaw was corrected in...

7.4CVSS6.9AI score0.00423EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/04/25 12:0 p.m.7 views

Possible unsound public API

The public accessible struct SyncVec has a public safe method getunchecked. It accept a parameter index and used in the getunchecked without sufficient checks as mentioned here...

7AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/04/24 12:0 p.m.7 views

`DTriangle` accessors may read out of bounds in affected versions

In affected versions, DTriangle::neighborbyorder and DTriangle::vertexbyorder were public safe functions that accepted an arbitrary order value. These functions used order to access fixed-size internal arrays with getunchecked, without checking whether order was within bounds. Calling these metho...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/04/03 12:0 p.m.7 views

SHA-1 collision attacks are not detected

Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. Details gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct G...

6.8CVSS7AI score0.00239EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2025/03/27 12:0 p.m.7 views

Safe API can cause heap-buffer-overflow

ffi::nstr should be marked unsafe, since a pointer to a buffer without a trailing 0 value will cause a heap buffer overflow...

7.3AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/03/27 12:0 p.m.7 views

`array-init-cursor` in version 0.2.0 and below is unsound when used with types that implement `Drop`

The Drop implementation will get run twice when using the cursor. This issue does not affect you, if you are using only using the crate with types that are Copy such as u8. This issue also does not affect you, if you are only depending on it through the crate planus...

7.1AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/03/23 12:0 p.m.7 views

The `trust-dns` project has been rebranded to `hickory-dns`

The trust-dns-proto crate is now available as hickory-proto...

7.2AI score
Exploits0Affected Software1
RustSec
RustSec
added 2025/02/21 12:0 p.m.7 views

resolve is unmaintained

resolve crate's GitHub repository is archived with no commits for seven years. Latest crates.io release is also seven years old. Possible alternatives hickory-resolver...

7.2AI score
Exploits0
RustSec
RustSec
added 2025/02/02 12:0 p.m.7 views

ssl::select_next_proto use after free

In openssl versions before 0.10.70, ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This coul...

6.3CVSS7.4AI score0.0065EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1141