RUSTSEC-2025-0140

Non-utf8 String can be created with TimeBuf::as_str

Reported

December 29, 2025

Issued

January 4, 2026 (last modified: January 6, 2026)

Package

gix-date (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#utf8 #undefined-behavior

Aliases

GHSA-6mw6-mj76-grwc

References

https://github.com/GitoxideLabs/gitoxide/issues/2305

Patched

>=0.12.0

Affected Functions

Version

gix_date::parse::TimeBuf::as_str

<=0.11.1

Description

The function gix_date::parse::TimeBuf::as_str can create an illegal string containing non-utf8 characters. This violates the safety invariant of TimeBuf and can lead to undefined behavior when consuming the string.

The bug can be prevented by adding str::from_utf8 to the function TimeBuf::write.

Advisory available under CC0-1.0 license.