Reported

November 13, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

failure (crates.io)

Type

INFO Unsound

Keywords

#unsound

Aliases

• CVE-2019-25010
• CVE-2020-25575
• GHSA-jq66-xh47-j9f3
• GHSA-r98r-j25q-rmpr

References

• https://github.com/rust-lang-nursery/failure/issues/336

CVSS Score

9.8 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Affected Functions

Version

failure::Fail::__private_get_type_id__

• >=0.1.0

Description

Safe Rust code can implement malfunctioning __private_get_type_id__ and cause type confusion when downcasting, which is an undefined behavior.

Users who derive Fail trait are not affected.

Advisory available under CC0-1.0 license.