`uniswap-utils` was removed from crates.io for malicious code

It depended on the evm-units crate, which appeared to be attempting to steal cryptocurrency...

rustls-pemfile is unmaintained

The rustls-pemfile crate is no longer maintained. The repository has been archived since August 2025, and users are encouraged to depend directly on the underlying PEM parsing code included in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper around the...

`Reader::open_mmap` unsoundly marks unsafe memmap operation as safe

maxminddb prior to version 0.27 declared Reader::openmmap as safe despite wrapping an inherently unsafe memmap2 operation with no extra step done to guarantee safety. This could have led to undefined behaviour if the file were to be modified on disk while the memory map was still active...

Missing check in ZK proof in CGGMP21 Threshold Signing Protocol

Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. Patches cggmp21 v0.6.3 is a patch release that contains a fix that introduces this specific missing check. However, we recommend upgrading to cggmp24...

CGGMP21 presignatures can be used in the way that significantly reduces security

This attack is against presignatures used in very specific context: Presignatures + HD wallets derivation: security level reduces to 85 bits \ Previously you could generate a presignature, and then choose a HD derivation path while issuing a partial signature via Presignature::setderivationpath,...

Missing check in ZK proof in CGGMP21 Threshold Signing Protocol

Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. Patches cggmp21 v0.6.3 is a patch release that contains a fix that introduces this specific missing check. However, we recommend upgrading to cggmp24...

CGGMP21 presignatures can be used in the way that significantly reduces security

This attack is against presignatures used in very specific context: Presignatures + HD wallets derivation: security level reduces to 85 bits \ Previously you could generate a presignature, and then choose a HD derivation path while issuing a partial signature via Presignature::setderivationpath,...

Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS

Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms. Windows The threadamount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count...

gcc crate is unmaintained

The gcc crate is deprecated and no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - cc...

number_prefix crate is unmaintained

The numberprefix crate is no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - unit-prefix...

opentelemetry-jaeger crate is unmaintained

The opentelemetry-jaeger crate is deprecated and no longer actively maintained. The Jaeger propagator implementation has been migrated to opentelemetry-jaeger-propagator. More information and examples of using OTLP with Jaeger can be found in Introducing native support for OpenTelemetry in Jaeger...

hexchat crate is unsound and unmaintained

All versions of this crate have function deregistercommand which can result in use after free. This is unsound. In addition, all versions since 0.3.0 have "safe" macros, which are documented as unsafe to use in threads. In addition, the hexchat crate is no longer actively maintained. If you rely ...

cargo-asm crate is unmaintained

The cargo-asm crate is deprecated and no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - cargo-show-asm...

rand_os crate is unmaintained

The randos crate is deprecated and no longer actively maintained, as OsRng is now part of randcore. If you are using this crate, consider upgrading to randcore 0.5.1 or higher...

json5 crate is unmaintained

The json5 crate is no longer actively maintained. If you rely on this crate, consider switching to a recommended alternative. Recommended alternatives - serdejson5 - jsonc-parser - json-five...

Unsound API access to a WebAssembly shared linear memory

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q For more information see the GitHub-hosted security advisory...

tandem_garble_interop is unmaintained

The tandem crates in https://github.com/sine-fdn are no longer maintained by the SINE Foundation. The repository has been archived. Recommended alternative We are continuing our work on SMPC by implementing our secure multi-party computation engine Polytune...

tandem_http_client is unmaintained

The tandem crates in https://github.com/sine-fdn are no longer maintained by the SINE Foundation. The repository has been archived. Recommended alternative We are continuing our work on SMPC by implementing our secure multi-party computation engine Polytune...

tandem is unmaintained

The tandem crates in https://github.com/sine-fdn are no longer maintained by the SINE Foundation. The repository has been archived. Recommended alternative We are continuing our work on SMPC by implementing our secure multi-party computation engine Polytune...

tandem_http_server is unmaintained

The tandem crates in https://github.com/sine-fdn are no longer maintained by the SINE Foundation. The repository has been archived. Recommended alternative We are continuing our work on SMPC by implementing our secure multi-party computation engine Polytune...

Underflow in aes_key_unwrap function

The aeskeyunwrap function would panic if passed a ciphertext that was too short. In a debug build, it would panic due to a subtraction underflow. In a release build, it would use the small negative quantity to allocate a vector. Since the allocator expects an unsigned quantity, the negative value...

`replit_ruspty` was removed from crates.io for malicious code

The OpenSSF Package Analysis project identified 'replitruspty' @ 1.0.0 crates.io as malicious. Version 2.0.0 was also published with malware. It is considered malicious because: The package communicates with a domain associated with malicious activity. The package executes one or more commands...

Lack of sufficient checks in public API

The affected function is unsound due to insufficient checks on public struct field...

Out-of-bounds memory access in binary_read_to_ref and binary_write_from_ref

Safe functions accept a single &T or &mut T but multiply by n to create slices extending beyond allocated memory when n 1. These functions use fromrawparts to create slices larger than the underlying allocation, violating memory safety. The binaryvecio repository is archived and unmaintained...

astral-tokio-tar Vulnerable to PAX Header Desynchronization

Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrect...

Uninitialized memory exposure in any_as_u8_slice

The safe function anyasu8slice can create byte slices that reference uninitialized memory when used with types containing padding bytes. The function uses slice::fromrawparts to create a &u8 covering the entire size of a type, including padding bytes. According to Rust's documentation, fromrawpar...

Uninitialized memory exposure in string reading functions

Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found. This allows reading uninitialized memory which may contain sensitive data from previous allocations. The ncurses-rs repository is archived and unmaintained...

`tokio-tar` parses PAX extended headers incorrectly, allows file smuggling

The archive reader incorrectly handles PAX extended headers, when the ustar header incorrectly specifies zero size size=000000000000, while a PAX header specifies a non-zero size, tokio-tar::Archive is going to read the file content as tar entry header. This can be used by a tar file to present...

Undefined behavior in index_of_ptr with empty slices

The safe function indexofptr causes undefined behavior when called with an empty slice. The issue occurs in the line ptr.addslice.len - 1 which underflows when slice.len is 0, creating a pointer with a massive offset. According to Rust's safety rules, creating such a pointer causes immediate...

Uninitialized memory exposure in create_ring_buffer

The safe function createringbuffer allocates a buffer using Vec::withcapacity followed by setlen, creating a Box containing uninitialized memory. This leads to undefined behavior when functions like writeslices create typed slices e.g., &mut bool over the uninitialized memory, violating Rust's...

`unic-ucd-core` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-ucd-version` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-common` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-segment` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icusegmenter - unicode-segmentation...

`unic-char-property` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

`unic-ucd-age` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

Segmentation fault and invalid memory read in `mnl::cb_run`

The function mnl::cbrun is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers. Passing a crafted byte slice to mnl::cbrun can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to...

`unic-idna-punycode` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - idna...

`unic-ucd-ident` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties - unicode-ident...

`unic-ucd-name_aliases` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-cli` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained...

`unic-char` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

`unic-ucd-segment` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

`unic-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...

`unic-emoji-char` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

`unic` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icu - idna - unicode-bidi...

`unic-ucd-category` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

`unic-ucd-normal` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icunormalizer...

`unic-ucd` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

`unic-emoji` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...