Skip to content

Optional `Deserialize` implementations lacking validation

Moderate severity GitHub Reviewed Published Jun 17, 2022 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo raw-cpuid (Rust)

Affected versions

>= 3.1.0, < 9.1.1

Patched versions

9.1.1

Description

When activating the non-default feature serialize, most structs implement
serde::Deserialize without sufficient validation. This allows breaking
invariants in safe code, leading to:

  • Undefined behavior in as_string() methods (which use
    std::str::from_utf8_unchecked() internally).
  • Panics due to failed assertions.

See gz/rust-cpuid#43.

References

Published to the GitHub Advisory Database Jun 17, 2022
Reviewed Jun 17, 2022
Last updated Jun 13, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-jf5h-cf95-w759

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.