RUSTSEC-2025-0143

Unsound APIs of public constant::Reader and StructSchema

Reported

December 24, 2025

Issued

January 27, 2026

Package

capnp (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#unsoundness #undefined-behavior

References

https://github.com/capnproto/capnproto-rust/issues/605

Patched

>=0.24.0

Affected Functions

Version

capnp::constant::Reader::get

<0.24.0

capnp::schema::StructSchema::new

<0.24.0

Description

The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.

`Reader::get`

pub fn get(&self) -> Result<<T as Owned>::Reader<'static>> {
    // ...
    // UNSAFE: access `words` without validation
}

`StructSchema::new`

pub fn new(builder: RawBrandedStructSchema) -> StructSchema {
    // ...
    // UNSAFE: access encoded nodes without validation
}

This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.

The issue is resolved in version 0.24.0 by making constructor functions unsafe and mark the fields of struct as visible only in the crate.

Advisory available under CC0-1.0 license.