GHSA-vgmh-mqm4-8j88 – pared

Package

Manager: cargo
Name: pared
Vulnerable Version: >=0 <0.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: N/A pctlN/A

Details

pared Vulnerable to Use After Free in `Parc` and `Prc` Due to Missing Lifetime Constraints Affected versions of this crate didn't provide sufficient lifetime constraints to conversion functions from `alloc::sync::Arc` and `alloc::rc::Rc`, which made it possible to create projections of these reference counted pointers. Unlike the original reference counted pointers, these projections could outlive original data's lifetimes. This projected pointer could cause the original `Arc`'s or `Rc`'s `Drop::drop` to get called at a point where the original data was no longer valid, leading to a potential use after free. The affected functions were - `pared::prc::Prc::from_rc` - `pared::prc::Prc::project` - `pared::prc::Prc::try_from_rc` - `pared::sync::Parc::from_arc` - `pared::sync::Parc::project` - `pared::sync::Parc::try_from_arc` This flaw was fixed in [108f540ea8acb6073751a1aa386085c1cdc4fd1e](https://github.com/radekvit/pared/commit/108f540ea8acb6073751a1aa386085c1cdc4fd1e) by requiring that the type stored in the `Arc`s and `Rc`s passed to these functions contain `T: 'static`.

Metadata

Created: 2025-03-24T16:06:28Z
Modified: 2025-03-24T16:06:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-vgmh-mqm4-8j88/GHSA-vgmh-mqm4-8j88.json
CWE IDs: ["CWE-416"]
Alternative ID: N/A
Finding: F138
Auto approve: 1