HistoryEditJSON (OSV)

RUSTSEC-2025-0022

Use-After-Free in Md::fetch and Cipher::fetch

Reported
Issued
Package
openssl (crates.io)
Type
Vulnerability
Categories
References
Patched
  • >=0.10.72
Unaffected
  • <0.10.39
Affected Functions
Version
openssl::cipher::Cipher::fetch
  • >=0.10.39, <0.10.72
openssl::md::Md::fetch
  • >=0.10.39, <0.10.72

Description

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

Advisory available under CC0-1.0 license.