Reported

May 4, 2025

Issued

June 6, 2026

Package

trailer (crates.io)

Type

Vulnerability

Aliases

• CVE-2025-47737

References

• https://github.com/Geal/trailer/issues/2

CVSS Score

2.9 LOW

CVSS Details

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

Low

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Patched

no patched versions

Description

Our static analyzer find a potential unsound issue in the construction of Trailer, where it doesn't provide enough check to ensure the soundness.

trailer/src/lib.rs, Lines 18 to 25 in d474984:

 pub fn new(capacity: usize) -> Trailer<T> { 
     unsafe { 
         let trailer = Trailer::allocate(capacity); 
         let ptr = trailer.ptr as *mut T; 
         ptr.write(T::default()); 
         trailer 
     } 
 } 

The constructor does not check the T is not a ZST in rust, and allocating with size 0 is considered as undefined behaviors in Rust. A poc code like below can work:

use trailer::Trailer;
#[derive(Default)]
struct Zst;

fn main() {
    let mut a = Trailer::<Zst>::new(0);
    drop(a);
}

The trailer crate is unmaintained and this security issue will not be fixed.

Advisory available under CC0-1.0 license.