Reported

October 11, 2024

Issued

December 4, 2024

Package

hashbrown (crates.io)

Type

Vulnerability

Keywords

#borsh

References

• https://github.com/rust-lang/hashbrown/issues/576

Patched

• >=0.15.1

Unaffected

• <0.15.0

Affected Functions

Version

hashbrown::HashMap::borsh_serialize

• =0.15.0

Description

The borsh serialization of the HashMap did not follow the borsh specification. It potentially produced non-canonical encodings dependent on insertion order. It also did not perform canonicty checks on decoding.

This can result in consensus splits and cause equivalent objects to be considered distinct.

This was patched in 0.15.1.

Advisory available under CC0-1.0 license.