Reported

February 11, 2026

Issued

March 24, 2026

Package

hpke-rs (crates.io)

Type

Vulnerability

Aliases

• GHSA-g433-pq76-6cmf

References

• https://github.com/cryspen/hpke-rs/pull/128

Patched

• >=0.6.0

Affected Functions

Version

hpke_rs::Context::export

• <=0.5.0

Description

Passing values length > 65535 to Context::export produces output that disagrees with the RFC 9180 label encoding. In particular the length value is cast to u16 truncating any value exceeding 65535.

Impact

Applications that use hpke-rs to export very large secrets would experience interoperability issues with other applications that use a correct implementation to export very large secrets.

Mitigation

Starting with version 0.6.0, an error will be returned when attempting to call Context::export with an output length > 65535.

Advisory available under CC0-1.0 license.