Reported

July 4, 2025

Issued

June 29, 2026

Package

i_tree (crates.io)

Type

INFO Unsound

References

• https://github.com/iShape-Rust/iTree/issues/1
• https://github.com/iShape-Rust/iTree/commit/a948b891cf159233bfed5b16bf185268fd9e1985
• https://github.com/iShape-Rust/iTree/compare/0.9.0...0.10.0

Patched

• >=0.10.0

Affected Functions

Version

i_tree::tree::Tree::mut_node

• <0.10.0

i_tree::tree::Tree::node

• <0.10.0

Description

Affected versions of i_tree exposed safe public Tree::node and Tree::mut_node methods in the public tree module. These methods accepted an arbitrary u32 index and passed it directly to Vec::get_unchecked / get_unchecked_mut on the internal node buffer, without validating that the index was in bounds.

Because these methods were safe and public, a caller could pass an out-of-bounds index without writing any unsafe code, producing an out-of-bounds shared or mutable reference and triggering undefined behavior.

Starting with 0.10.0 the crate was restructured and these accessors are no longer reachable from outside the crate.

Advisory available under CC0-1.0 license.