Reported

May 6, 2025

Issued

November 3, 2025 (last modified: November 4, 2025)

Package

shaman (crates.io)

Type

INFO Unsound

Categories

• memory-corruption

Aliases

• GHSA-7vjm-6qgq-3mrq

References

• https://crates.io/crates/shaman

Patched

no patched versions

Affected Functions

Version

shaman::cryptoutil::read_u32v_be

• <=0.1.0

shaman::cryptoutil::read_u32v_le

• <=0.1.0

shaman::cryptoutil::read_u64v_be

• <=0.1.0

shaman::cryptoutil::read_u64v_le

• <=0.1.0

shaman::cryptoutil::write_u32v_le

• <=0.1.0

shaman::cryptoutil::write_u64v_le

• <=0.1.0

Description

shaman::cryptoutil::write_u64v_le and other functions mentioned above cannot garantee memory safety of get_unchecked later if both length are zero.

shaman is unmaintained.

Advisory available under CC0-1.0 license.