RustSec Advisories

RUSTSEC-2026-0040: Vulnerability in tracing-ethers

2026-03-14T12:00:00+00:00

RUSTSEC-2026-0040

tracing-ethers was removed from crates.io due to malicious code

Reported: March 14, 2026
Issued: March 14, 2026
Package: tracing-ethers (crates.io)
Type: Vulnerability
Patched: no patched versions

Description

The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app

The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Thanks to the user killa for reporting this malicious crate.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0038: Vulnerability in rssn

2026-03-11T12:00:00+00:00

RUSTSEC-2026-0038

RustSec Advisory

Reported

March 8, 2026

Issued

March 10, 2026 (last modified: March 11, 2026)

Package

rssn (crates.io)

Type

Vulnerability

Categories

Keywords

#jit #ace

Aliases

References

https://github.com/Apich-Organization/rssn/security/advisories/GHSA-9c4h-pwmf-m6fj

CVSS Score

9.4 CRITICAL

CVSS Details

Attack Complexity: Low
Attack Requirements: None
Attack Vector: Local
Privileges Required: None
Availability Impact to the Subsequent System: High
Confidentiality Impact to the Subsequent System: High
Integrity Impact to the Subsequent System: High
User Interaction: None
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: High
Integrity Impact to the Vulnerable System: High

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Patched

>=0.2.9

Unaffected

<0.1.20

Description

Impact

Vulnerability Type: Improper Control of Generation of Code ('Code Injection') (CWE-94) / Improper Check for Unusual or Exceptional Conditions (CWE-754) / Improper Input Validation (CWE-20) / Use of Low-Level Functionality (CWE-695) / Improper Privilege Management (CWE-269) / External Control of System or Configuration Setting (CWE-15).

Technical Details: The vulnerability exists in the JIT (Just-In-Time) compilation engine, which is fully exposed via the CFFI (Foreign Function Interface). Due to Improper Input Validation and External Control of Code Generation, an attacker can supply malicious parameters or instruction sequences through the CFFI layer. Since the library often operates with elevated privileges or within high-performance computing contexts, this allows for Arbitrary Code Execution (ACE) at the privilege level of the host process.

Who is Impacted?

Developers using the library as a dynamic linked library (.so, .dll, .dylib) in multi-language environments (e.g., Python, Node.js, C++).
Cloud Service Providers running the library in multi-tenant environments or automated model-training pipelines.
Users processing untrusted or third-party datasets/models that may trigger malicious JIT instruction generation. Patches
Affected versions: < 0.2.8
Patched version: 0.2.9

Workarounds

If you cannot upgrade immediately, please consider the following mitigations:

Strict Sandboxing: Run the library within a restricted sandbox (e.g., WebAssembly, Docker with non-root user, or seccomp profiles) to limit system call access.
Principle of Least Privilege: Ensure the process calling the library does not have administrative or root privileges.
Input Filtering: If possible, implement an application-level validation layer to sanitize any data passed to the CFFI interfaces.
Disable JIT (if applicable): If your workload allows, use the interpreter-only mode (if provided by the library) to bypass the JIT engine entirely.

References

Apich Organization Security Team Homepage

Advisory available under CC-BY-4.0 license. Source: https://github.com/Apich-Organization/rssn/security/advisories/GHSA-9c4h-pwmf-m6fj

RUSTSEC-2026-0039: Vulnerability in chrono_anchor

2026-03-10T12:00:00+00:00

RUSTSEC-2026-0039

chrono_anchor was removed from crates.io due to malicious code

Reported: March 10, 2026
Issued: March 10, 2026
Package: chrono_anchor (crates.io)
Type: Vulnerability
Patched: no patched versions

Description

The chrono_anchor crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service.

The malicious crate had 1 version published on 2026-03-04 approximately 6 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Thanks to Socket for reporting this crate. They have published a blog post about this recent campaign, and we advise users of timeapi.io to exercise caution when using crates to interact with that service.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0037: Vulnerability in quinn-proto

2026-03-14T12:00:00+00:00

RUSTSEC-2026-0037

Denial of service in Quinn endpoints

Reported

March 9, 2026

Issued

March 9, 2026 (last modified: March 14, 2026)

Package

quinn-proto (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#panic

Aliases

References

https://github.com/quinn-rs/quinn/pull/2559

CVSS Score

8.7 HIGH

CVSS Details

Attack Complexity: Low
Attack Requirements: None
Attack Vector: Network
Privileges Required: None
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: None
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

>=0.11.14

Unaffected

<0.5.0

Description

Receiving QUIC transport parameters containing invalid values could lead to a panic.

Unfortunately the maintainers did not properly assess usage of unwrap() calls in the transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this issue. We have since added a fuzzing target to cover this code path.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0036: Vulnerability in time-sync

2026-03-06T12:00:00+00:00

RUSTSEC-2026-0036

time-sync was removed from crates.io due to malicious code

Reported

March 4, 2026

Issued

March 5, 2026 (last modified: March 6, 2026)

Package

time-sync (crates.io)

Type

Vulnerability

Aliases

GHSA-mh23-rw7f-v5pq

Patched

no patched versions

Description

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days.

The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0033: Vulnerability in pingora-core

2026-03-09T12:00:00+00:00

RUSTSEC-2026-0033

HTTP Request Smuggling via Premature Upgrade

Reported

March 4, 2026

Issued

March 5, 2026 (last modified: March 9, 2026)

Package

pingora-core (crates.io)

Type

Vulnerability

Keywords

#http #request-smuggling

Aliases

References

CVSS Score

9.3 CRITICAL

CVSS Details

Attack Complexity: Low
Attack Requirements: None
Attack Vector: Network
Privileges Required: None
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: High
Integrity Impact to the Subsequent System: High
User Interaction: None
Availability Impact to the Vulnerable System: None
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: High

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Patched

>=0.8.0

Description

Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching Protocols response. This allows an attacker to smuggle requests to the backend and bypass proxy-level security controls.

This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to bypass proxy-level ACL controls and WAF logic, poison caches and upstream connections, or perform cross-user attacks by hijacking sessions.

This flaw was corrected in commit 824bdeefc61e121cc8861de1b35e8e8f39026ecd by only switching connection modes after receiving a 101 response from the backend. Users should upgrade to Pingora >= 0.8.0.

Note: Cloudflare customers and Cloudflare's CDN infrastructure were not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0034: Vulnerability in pingora-core

2026-03-09T12:00:00+00:00

RUSTSEC-2026-0034

HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Reported

March 4, 2026

Issued

March 5, 2026 (last modified: March 9, 2026)

Package

pingora-core (crates.io)

Type

Vulnerability

Keywords

#http #request-smuggling

Aliases

References

CVSS Score

9.3 CRITICAL

CVSS Details

Attack Complexity: Low
Attack Requirements: None
Attack Vector: Network
Privileges Required: None
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: High
Integrity Impact to the Subsequent System: High
User Interaction: None
Availability Impact to the Vulnerable System: None
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: High

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Patched

>=0.8.0

Description

Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend.

This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could exploit this to bypass proxy-level ACL controls and WAF logic, poison caches and upstream connections, or perform cross-user attacks by hijacking sessions.

This flaw was corrected in commits 7f7166d62fa916b9f11b2eb8f9e3c4999e8b9023, 40c3c1e9a43a86b38adeab8da7a2f6eba68b83ad, and 87e2e2fb37edf9be33e3b1d04726293ae6bf2052 by correctly parsing message length headers per RFC 9112. Users should upgrade to Pingora >= 0.8.0.

Note: Cloudflare customers and Cloudflare's CDN infrastructure were not affected by this vulnerability, as its ingress proxy layers rejected ambiguous framing such as invalid Content-Length values and internally forwarded non-ambiguous message length framing headers.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0035: Vulnerability in pingora-cache

2026-03-09T12:00:00+00:00

RUSTSEC-2026-0035

Cache poisoning via insecure-by-default cache key

Reported

March 4, 2026

Issued

March 5, 2026 (last modified: March 9, 2026)

Package

pingora-cache (crates.io)

Type

Vulnerability

Keywords

#http #cache-poisoning

Aliases

References

CVSS Score

8.4 HIGH

CVSS Details

Attack Complexity: Low
Attack Requirements: None
Attack Vector: Network
Privileges Required: None
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: High
Integrity Impact to the Subsequent System: High
User Interaction: Passive
Availability Impact to the Vulnerable System: None
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: High

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Patched

>=0.8.0

Description

Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users.

This vulnerability affects users of Pingora's alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for cross-tenant data leakage in multi-tenant deployments, or serve malicious content to legitimate users by poisoning shared cache entries.

This flaw was corrected in commit 257b59ada28ed6cac039f67d0b71f414efa0ab6e by removing the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header and origin server HTTP scheme. We strongly recommend that users upgrade to Pingora >= 0.8.0.

Note: Cloudflare customers and Cloudflare's CDN infrastructure were not affected by this vulnerability, as Cloudflare's default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0032: Vulnerability in dnp3times

2026-03-05T12:00:00+00:00

RUSTSEC-2026-0032

dnp3times was removed from crates.io due to malicious code

Reported

March 4, 2026

Issued

March 4, 2026 (last modified: March 5, 2026)

Package

dnp3times (crates.io)

Type

Vulnerability

Aliases

GHSA-xhw7-jhmp-j62j

Patched

no patched versions

Description

The dnp3times crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. It was loosely trying to typosquat the dnp3time crate, but otherwise was the same attack as the time_calibrator and time_calibrators malware yesterday.

The malicious crate had 1 version published on 2026-03-04 approximately 6 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0031: Vulnerability in time_calibrators

2026-03-05T12:00:00+00:00

RUSTSEC-2026-0031

time_calibrators was removed from crates.io due to malicious code

Reported

March 3, 2026

Issued

March 3, 2026 (last modified: March 5, 2026)

Package

time_calibrators (crates.io)

Type

Vulnerability

Aliases

GHSA-wf45-3gpw-vrqv

Patched

no patched versions

Description

The time_calibrators crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service.

The malicious crate had 1 version published on 2026-03-03 approximately 3 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

Thanks to cybergeek for finding and reporting this to the Rust security response working group, and thanks to Emily Albini for co-ordinating with the crates.io team.

Advisory available under CC0-1.0 license.