Reported

May 2, 2020

Issued

October 1, 2020 (last modified: February 10, 2024)

Package

failure (crates.io)

Type

INFO Unmaintained

Aliases

• CVE-2019-25010
• CVE-2020-25575
• GHSA-jq66-xh47-j9f3
• GHSA-r98r-j25q-rmpr

References

• https://github.com/rust-lang-nursery/failure/pull/347

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Description

The failure crate is officially end-of-life: it has been marked as deprecated by the former maintainer, who has announced that there will be no updates or maintenance work on it going forward.

The following are some suggested actively developed alternatives to switch to:

• anyhow
• eyre
• fehler
• snafu
• thiserror

Advisory available under CC0-1.0 license.